Edit tour

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Sample Name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Analysis ID:	736949
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
Infos:

Detection

GuLoader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Executable has a suspicious name (potential lure to open the executable)

Uses 32bit PE files

Drops PE files

Contains functionality to shutdown / reboot the system

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to dynamically determine API calls

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe (PID: 2800 cmdline: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe MD5: 045F22CE9BE3D33B07A00780EE66FCFD)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_0040676F FindFirstFileW,FindClose,	0_2_0040676F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B23
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004055B8

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Executable has a suspicious name (potential lure to open the executable)

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static file information: Suspicious name

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034C5

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00407458	0_2_00407458
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00406C81	0_2_00406C81
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_739A1B5F	0_2_739A1B5F

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File read: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

0_2_004034C5

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Roaming\Shoved

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Local\Temp\nsc73B.tmp

Jump to behavior

Source: classification engine

Classification label: mal60.troj.evad.winEXE@1/3@0/0

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404858

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bestyrelsesformanden

Jump to behavior

Source: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_739A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_739A1B5F

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

File created: C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

RDTSC instruction interceptor: First address: 0000000002A702EA second address: 0000000002A702EA instructions: 0x00000000 rdtsc 0x00000002 test cx, ax 0x00000005 test cx, cx 0x00000008 cmp ebx, ecx 0x0000000a jc 00007F4CDCB7714Fh 0x0000000c test al, bl 0x0000000e inc ebp 0x0000000f test ah, ah 0x00000011 inc ebx 0x00000012 clc 0x00000013 rdtsc

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_0040676F FindFirstFileW,FindClose,	0_2_0040676F
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405B23
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	API call chain: ExitProcess graph end node			graph_0-4285
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	API call chain: ExitProcess graph end node			graph_0-4436

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Code function: 0_2_739A1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_739A1B5F

Source: C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

0_2_004034C5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Windows Service	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	10%	ReversingLabs	Win32.Downloader.Minix

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll	4%	Metadefender	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736949
Start date and time:	2022-11-03 12:21:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.evad.winEXE@1/3@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.3% (good quality ratio 83.8%) Quality average: 86.9% Quality standard deviation: 21.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:22:10	API Interceptor	1x Sleep call for process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse
	Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe	Get hash	malicious	Browse
	Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe	Get hash	malicious	Browse
	Eminencer.exe	Get hash	malicious	Browse
	Shipment Notification.exe	Get hash	malicious	Browse
	Prokuraers.exe	Get hash	malicious	Browse
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse
	Eminencer.exe	Get hash	malicious	Browse
	Shipment Notification.exe	Get hash	malicious	Browse
	COSTCO Purchase Order.exe	Get hash	malicious	Browse
	Prokuraers.exe	Get hash	malicious	Browse
	RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe	Get hash	malicious	Browse
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse
	COSTCO Purchase Order.exe	Get hash	malicious	Browse
	NEW GIZA - INFRA - RFQ ( Pump ).exe	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment Notification.exe	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment Notification.exe	Get hash	malicious	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe	Get hash	malicious	Browse
	Request for Quotation on materials listed - AUTO JIHLAVA s.r.o. PDF.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse Antivirus: Metadefender, Detection: 4%, Browse
Joe Sandbox View:	Filename: WELTER zahnrad GmbH Urgent enquiry Order nr543.exe, Detection: malicious, Browse Filename: WELTER zahnrad GmbH Urgent enquiry Order nr543.exe, Detection: malicious, Browse Filename: Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe, Detection: malicious, Browse Filename: Pipetek Supplies Ltd - Quotation No. 40406 Revised.exe, Detection: malicious, Browse Filename: Eminencer.exe, Detection: malicious, Browse Filename: Shipment Notification.exe, Detection: malicious, Browse Filename: Prokuraers.exe, Detection: malicious, Browse Filename: RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe, Detection: malicious, Browse Filename: Eminencer.exe, Detection: malicious, Browse Filename: Shipment Notification.exe, Detection: malicious, Browse Filename: COSTCO Purchase Order.exe, Detection: malicious, Browse Filename: Prokuraers.exe, Detection: malicious, Browse Filename: RFQ-08-057-SAFETY SHOWER UNIT WITH COOLING SYSTEM.exe, Detection: malicious, Browse Filename: NEW GIZA - INFRA - RFQ ( Pump ).exe, Detection: malicious, Browse Filename: COSTCO Purchase Order.exe, Detection: malicious, Browse Filename: NEW GIZA - INFRA - RFQ ( Pump ).exe, Detection: malicious, Browse Filename: AWB DHL 7214306201 Shipment Notification.exe, Detection: malicious, Browse Filename: AWB DHL 7214306201 Shipment Notification.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.16179.exe, Detection: malicious, Browse Filename: Request for Quotation on materials listed - AUTO JIHLAVA s.r.o. PDF.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Shoved\Factorist\dialog-warning-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	286
Entropy (8bit):	6.880810677512409
Encrypted:	false
SSDEEP:	6:6v/lhPysDQqinrW8/97kGwr/F+Elz3hsKrnLIuYK/SwtNVp:6v/7ZiK817kG3Mz3ZIiSoN7
MD5:	03DEC13C99CA8B2766C9B4468E0E781B
SHA1:	DA2202AF040D5494D7281FAB003C748457255CEE
SHA-256:	DEBC1949821086D01AE4A60BFFF1A73CFF47E7AB100E9028556496C254C05655
SHA-512:	566533ABC453A817570660154026D2206866073AB28CA6243C15AFF6A57C4A8B686EB7F23B4161EF4AE2A2C5C71F3DD6FD7271F4667A8C2E606D7CA19CC71FE7
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...?J.A.....A....../.%.2....<.......6...H..i..-.'Eva.qw_.`.\|.3.0.s.....O_2..Y=....p..N..].J.......t.Q6..y... ..u.......\|.u....1.D..b...2\|..H..........HS]=...~.M..$.>q.............\|..wq.~vZ.\|a..f..Tg.x._I....IEND.B`.

C:\Users\user\AppData\Roaming\Shoved\skrupforelskede.bin

Download File

Process:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File Type:	data
Category:	dropped
Size (bytes):	106887
Entropy (8bit):	7.75553468119485
Encrypted:	false
SSDEEP:	1536:bYpDSzihO1IsnBzEfH5ZR0fha22stcSuYZtL+8VdfWuZTJrBWmlRsMM:mDcgO1IeQfH5ZRXstcgKodfhrBBDM
MD5:	73A6739AA8670352F00CA22E28B2E5E3
SHA1:	14B5E6BB7FA6A534D9CCB20C19F57D82C8C8D634
SHA-256:	1E182B58911811ED9709B682EFE83DD96093AC013DA58698D2687E526E4D3B96
SHA-512:	46D0E7F0B7EC4042B66B0CF98076D9E59157B3A011A9EB2E1238D4B5B579B9B9194F257F3B6DB9191F66F135232B0D9DA85360CBC8F87B612847FAE471083971
Malicious:	false
Reputation:	low
Preview:	Tw8... ......x.q.f..a.!..P..........r...D..L.i.:....D...\|..$d.....u......................<..g..b..`..........3...<....;......^.........#............;<._......W<V....s.w......5XU....F...5G6.<Q..%-L...<...,-...C....y5........<`........[1.......`@......@..m<s@.....@<L..K=L...u..W..........l.......`]h.Q..&.-.X[?S..;.c..vh..^.!....o.......ue.@....C&<..}....G/.E....N.b.Sx.k...0..-.V..F.....gCV....a$r".q..<2)..@^$.i ...5./.Y...z'...5)jJI..:.J.[S.....`e.D_(.yp.[?....A..6uD7+......WHf..Vp....\g.8.;....k.9....Z.W....8D.+..+..+..+..+..+..+..+..+..+..+..+.~..{.q...p...9..t...G.X.e.X.\..D.V...8H.+..+..+..+..+..+..+..+..+..+..+..+..+..~p....W...qr..?...\|.]q,..t.2.....!0I.V...q.C..l..A-.'R..*.....pf...'..q.%........V.!>...4.......,;c.....5\%\q/.]..Y......W..p.a...%.?. &...`.u/E..R.]h.h.b....~p...5P..\|V....m.W.~....n.`......&.l5v..E.a.q..E..?......U......Uz...~p.e...~p..U.i..(.c..`.........5...a.\|V............@\|N......\|.X..V..h.a... &

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.688048037898308
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
File size:	236896
MD5:	045f22ce9be3d33b07a00780ee66fcfd
SHA1:	91b74e75d55c33d8d82b10bed51ca7d3ad80147c
SHA256:	e05ec32c2edc10b6917a3cbcac9d823cb37db908cc51f3ec459800992e2b8b37
SHA512:	c363c64fe3b52d615601810b577168be5b3339ba6bde011ae0c76bbee76718782f8b737b0c9f6d82d34197045ce1c35389cba26622349bb2c0c77f62ed29d063
SSDEEP:	6144:vT4DtMeWIPR0PVPCespE0s67yIMYxrzWJougaEzEk:vTpeZ00SI18ogC
TLSH:	2134014177B5C463ED564A30C813A7F2A9B97C11D9E89F4707423E8EBC76382DA1A32D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...P..`.................h.........

File Icon


Icon Hash:	879b931b3bb3b393

Static PE Info

General

Entrypoint:	0x4034c5
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC9250 [Sat Jul 24 22:21:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/17/2022 6:44:12 PM 7/16/2025 6:44:12 PM
Subject Chain	OU="Squatterism Autodialing ", E=Wirestitched@Longobardian.No, O=driftier, L=West Tarbert, S=Scotland, C=GB
Version:	3
Thumbprint MD5:	CE0B0A248006454637FB21369D393B35
Thumbprint SHA-1:	FDB8159D5CAE5E96B90D0300979493249FE76435
Thumbprint SHA-256:	67AA1334C6C443A496FCD527B5F1A30A2CA661AC20D33E7BCCADEF6982D2575C
Serial:	33616A6CE5467077

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [00434F0Ch], eax
je 00007F4CDCBD8053h
push ebx
call 00007F4CDCBDB341h
cmp eax, ebx
je 00007F4CDCBD8049h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F4CDCBDB2BBh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F4CDCBD802Ch
push 0000000Bh
call 00007F4CDCBDB314h
push 00000009h
call 00007F4CDCBDB30Dh
push 00000007h
mov dword ptr [00434F04h], eax
call 00007F4CDCBDB301h
cmp eax, ebx
je 00007F4CDCBD8051h
push 0000001Eh
call eax
test eax, eax
je 00007F4CDCBD8049h
or byte ptr [00434F0Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [00434FD8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7e000	0x147e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x37ca8	0x20b8	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6793	0x6800	False	0.6720628004807693	data	6.495258513279076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a4	0x1600	False	0.4385653409090909	data	5.01371465125838	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2b018	0x600	False	0.5240885416666666	data	4.155579717739458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x48000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7e000	0x147e8	0x14800	False	0.8290658346036586	data	7.314494987254223	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x7e4f0	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x7e858	0x820b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x86a68	0x39ac	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0x8a418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x8c9c0	0x14fa	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0x8dec0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x8ef68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States
RT_ICON	0x8fe10	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States
RT_ICON	0x906b8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x90d20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States
RT_ICON	0x91288	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_ICON	0x916f0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x919d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_DIALOG	0x91b00	0x144	data	English	United States
RT_DIALOG	0x91c48	0x13c	data	English	United States
RT_DIALOG	0x91d88	0x100	data	English	United States
RT_DIALOG	0x91e88	0x11c	data	English	United States
RT_DIALOG	0x91fa8	0xc4	data	English	United States
RT_DIALOG	0x92070	0xb6	data	English	United States
RT_DIALOG	0x92128	0x60	data	English	United States
RT_GROUP_ICON	0x92188	0xae	data	English	United States
RT_VERSION	0x92238	0x270	data	English	United States
RT_MANIFEST	0x924a8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exePID: 2800, Parent PID: 3528

General

Target ID:	0
Start time:	12:22:10
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe
Imagebase:	0x400000
File size:	236896 bytes
MD5 hash:	045F22CE9BE3D33B07A00780EE66FCFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.835753026.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exePID: 2800, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1572
Total number of Limit Nodes:	45

Executed Functions

Function 004034C5 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t62;
				void* _t65;
				void* _t67;
				int _t69;
				int _t71;
				int _t74;
				intOrPtr* _t75;
				int _t76;
				int _t78;
				void* _t102;
				signed int _t119;
				void* _t122;
				void* _t127;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				int _t150;
				void* _t153;
				int _t154;
				signed int _t158;
				signed int _t163;
				signed int _t168;
				void* _t170;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				CHAR* _t184;
				WCHAR* _t185;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t150 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x434f0c = _t51;
				if(_t51 != 6) {
					_t148 = E00406806(0);
					if(_t148 != 0) {
						 *_t148(0xc00);
					}
				}
				_t184 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t150); // executed
				 *0x434fd8 = _t56;
				SHGetFileInfoW(0x42b228, _t150, _t196 + 0x34, 0x2b4, _t150); // executed
				E00406411(0x433f00, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\jones\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe\"";
				E00406411(_t192, _t60);
				 *0x434f00 = 0x400000;
				_t62 = _t192;
				if(L"\"C:\\Users\\jones\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe\"" == 0x22) {
					_t62 =  &M00440002;
					_t170 = 0x22;
				}
				_t154 = CharNextW(E00405D13(_t62, _t170));
				 *(_t196 + 0x18) = _t154;
				_t65 =  *_t154;
				if(_t65 == _t150) {
					L33:
					_t185 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t67 = E00403494(_t154, 0);
					_t224 = _t67;
					if(_t67 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t69 = E00403015(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t69;
						if(_t69 != _t150) {
							L48:
							E00403A06();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t150;
							if( *(_t196 + 0x10) == _t150) {
								__eflags =  *0x434fb4 - _t150;
								if( *0x434fb4 == _t150) {
									L72:
									_t71 =  *0x434fcc;
									__eflags = _t71 - 0xffffffff;
									if(_t71 != 0xffffffff) {
										 *(_t196 + 0x10) = _t71;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t74 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t74;
								if(_t74 != 0) {
									LookupPrivilegeValueW(_t150, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t150, _t196 + 0x24, _t150, _t150, _t150);
								}
								_t75 = E00406806(4);
								__eflags = _t75 - _t150;
								if(_t75 == _t150) {
									L70:
									_t76 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t76;
									if(_t76 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t78 =  *_t75(_t150, _t150, _t150, 0x25, 0x80040002);
									__eflags = _t78;
									if(_t78 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E00405A77( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x434f20 == _t150) {
							L47:
							 *0x434fcc =  *0x434fcc | 0xffffffff;
							 *(_t196 + 0x14) = E00403AE0( *0x434fcc);
							goto L48;
						}
						_t174 = E00405D13(_t192, _t150);
						if(_t174 < _t192) {
							L44:
							_t235 = _t174 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t174 < _t192) {
								_t172 = E004059E2(_t238);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t150) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t194 = L"C:\\Users\\jones\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\jones\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t150) {
										E004059C5();
									} else {
										E00405948();
									}
									SetCurrentDirectoryW(_t185);
									_t242 = L"C:\\Users\\jones\\AppData\\Roaming\\Shoved" - _t150; // 0x43
									if(_t242 == 0) {
										E00406411(L"C:\\Users\\jones\\AppData\\Roaming\\Shoved", _t194);
									}
									E00406411(0x436000,  *(_t196 + 0x18));
									_t155 = "A" & 0x0000ffff;
									 *0x436800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x120)));
										DeleteFileW(0x42aa28);
										if( *(_t196 + 0x10) != _t150 && CopyFileW(L"C:\\Users\\jones\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", 0x42aa28, 1) != 0) {
											E004061D7(_t155, 0x42aa28, _t150);
											E0040644E(_t150, 0x42aa28, _t185, 0x42aa28,  *((intOrPtr*)( *0x434f14 + 0x124)));
											_t102 = E004059FA(0x42aa28);
											if(_t102 != _t150) {
												CloseHandle(_t102);
												 *(_t196 + 0x10) = _t150;
											}
										}
										 *0x436800 =  *0x436800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E004061D7(_t155, _t185, _t150);
								}
								goto L48;
							}
							 *_t174 = _t150;
							_t175 =  &(_t174[2]);
							if(E00405DEE(_t235,  &(_t174[2])) == 0) {
								goto L48;
							}
							E00406411(L"C:\\Users\\jones\\AppData\\Roaming\\Shoved", _t175);
							E00406411(L"C:\\Users\\jones\\AppData\\Roaming\\Shoved\\Factorist", _t175);
							 *(_t196 + 0x10) = _t150;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t158 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t119 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t174 != _t158 || _t174[1] != _t119) {
							_t174 = _t174;
							if(_t174 >= _t192) {
								continue;
							}
							break;
						}
						_t150 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t122 = E00403494(_t154, _t224);
					_t225 = _t122;
					if(_t122 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t127 = E00403494(_t154, _t225);
					_t226 = _t127;
					if(_t127 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t153 = 0x20;
						if(_t65 != _t153) {
							L13:
							if( *_t154 == 0x22) {
								_t154 = _t154 + 2;
								_t153 = 0x22;
							}
							if( *_t154 != 0x2f) {
								goto L27;
							} else {
								_t154 = _t154 + 2;
								if( *_t154 == 0x53) {
									_t147 =  *((intOrPtr*)(_t154 + 2));
									if(_t147 == 0x20 || _t147 == 0) {
										 *0x434fc0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t180 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t168;
								if( *_t154 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t154 + 4)) == _t180) {
									_t146 =  *((intOrPtr*)(_t154 + 8));
									if(_t146 == 0x20 || _t146 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t183 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t163;
								if( *(_t154 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t163) ||  *_t154 != _t183) {
									goto L27;
								} else {
									 *(_t154 - 4) =  *(_t154 - 4) & 0x00000000;
									__eflags = _t154;
									E00406411(L"C:\\Users\\jones\\AppData\\Roaming\\Shoved", _t154);
									L32:
									_t150 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t154 = _t154 + 2;
						} while ( *_t154 == _t153);
						goto L13;
						L27:
						_t154 = E00405D13(_t154, _t153);
						if( *_t154 == 0x22) {
							_t154 = _t154 + 2;
						}
						_t65 =  *_t154;
					} while (_t65 != 0);
					goto L32;
				}
				L4:
				E00406796(_t184); // executed
				_t184 =  &(_t184[lstrlenA(_t184) + 1]);
				if( *_t184 != 0) {
					goto L4;
				} else {
					E00406806(0xb);
					 *0x434f04 = E00406806(9);
					_t56 = E00406806(7);
					if(_t56 != _t150) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x434f0f =  *0x434f0f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x004034d0
0x004034d1
0x004034d8
0x004034dc
0x004034e4
0x004034e8
0x004034f4
0x004034fd
0x00403502
0x00403505
0x0040350c
0x00403513
0x00403513
0x0040350c
0x00403515
0x00403515
0x0040355d
0x0040355e
0x00403565
0x0040356b
0x00403581
0x00403591
0x00403596
0x0040359c
0x004035a3
0x004035b0
0x004035ba
0x004035bc
0x004035c0
0x004035c5
0x004035c5
0x004035d4
0x004035d6
0x004035da
0x004035e0
0x004036f7
0x004036fd
0x00403708
0x0040370a
0x0040370f
0x00403711
0x00403769
0x0040376e
0x00403778
0x0040377f
0x00403783
0x00403834
0x00403834
0x00403839
0x0040383f
0x00403844
0x0040396a
0x00403970
0x004039ee
0x004039ee
0x004039f3
0x004039f6
0x004039f8
0x004039f8
0x00403a00
0x00403a00
0x00403980
0x00403986
0x00403988
0x00403995
0x004039a8
0x004039b0
0x004039b8
0x004039b8
0x004039c0
0x004039c5
0x004039cc
0x004039da
0x004039dd
0x004039e3
0x004039e5
0x00000000
0x00000000
0x00000000
0x004039ce
0x004039d4
0x004039d6
0x004039d8
0x004039e7
0x004039e9
0x00000000
0x004039e9
0x00000000
0x004039d8
0x004039cc
0x00403853
0x0040385a
0x0040385a
0x0040378f
0x00403824
0x00403824
0x00403830
0x00000000
0x00403830
0x0040379c
0x004037a0
0x004037ee
0x004037ee
0x004037f0
0x004037f8
0x0040386b
0x0040386d
0x00403874
0x0040387c
0x0040387c
0x00403887
0x0040388c
0x0040389b
0x0040389f
0x004038a0
0x004038a9
0x004038a2
0x004038a2
0x004038a2
0x004038af
0x004038b5
0x004038bc
0x004038c4
0x004038c4
0x004038d2
0x004038de
0x004038ec
0x004038f1
0x004038f7
0x00403903
0x00403909
0x00403913
0x00403929
0x0040393a
0x00403940
0x00403947
0x0040394a
0x00403950
0x00403950
0x00403947
0x00403954
0x0040395b
0x0040395b
0x00403960
0x00403960
0x00000000
0x0040389b
0x004037fa
0x004037fd
0x00403808
0x00000000
0x00000000
0x00403810
0x0040381b
0x00403820
0x00000000
0x00403820
0x004037a9
0x004037c1
0x004037d2
0x004037d3
0x004037d7
0x004037d9
0x004037e7
0x004037ea
0x00000000
0x00000000
0x00000000
0x004037ea
0x004037ec
0x00000000
0x004037ec
0x00403719
0x00403725
0x0040372a
0x0040372f
0x00403731
0x00000000
0x00000000
0x00403739
0x00403741
0x00403752
0x0040375a
0x0040375c
0x00403761
0x00403763
0x00000000
0x00000000
0x00000000
0x004035e6
0x004035e6
0x004035e8
0x004035ec
0x004035f5
0x004035f9
0x004035fe
0x004035ff
0x004035ff
0x00403604
0x00000000
0x0040360a
0x0040360b
0x00403610
0x00403612
0x0040361a
0x00403621
0x00403621
0x0040361a
0x00403632
0x00403645
0x00403646
0x0040365b
0x00403660
0x00403664
0x0040366d
0x00403675
0x0040367c
0x0040367c
0x00403675
0x00403688
0x0040369b
0x0040369c
0x004036b1
0x004036b7
0x004036bb
0x00000000
0x004036e2
0x004036e2
0x004036e7
0x004036f0
0x004036f5
0x004036f5
0x00000000
0x004036f5
0x004036bb
0x00000000
0x00000000
0x00000000
0x004035ee
0x004035ee
0x004035ef
0x004035f0
0x00000000
0x004036c3
0x004036ca
0x004036d0
0x004036d3
0x004036d3
0x004036d4
0x004036d7
0x00000000
0x004036e0
0x0040351a
0x0040351b
0x00403527
0x0040352e
0x00000000
0x00403530
0x00403532
0x00403540
0x00403545
0x0040354c
0x00403550
0x00403554
0x00403556
0x00403556
0x00403554
0x00000000
0x0040354c

APIs

SetErrorMode.KERNELBASE ref: 004034E8
GetVersion.KERNEL32 ref: 004034EE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403521
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040355E
OleInitialize.OLE32(00000000), ref: 00403565
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403581
GetCommandLineW.KERNEL32(00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 00403596
CharNextW.USER32(00000000,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000020,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000000,?,00000007,00000009,0000000B), ref: 004035CE

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403708
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403725
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403739
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403741
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403752
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040375A
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040376E

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403839
ExitProcess.KERNEL32 ref: 0040385A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040386D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040387C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403887
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403893
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004038AF
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,00000009,?,00000007,00000009,0000000B), ref: 00403909
CopyFileW.KERNEL32(C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,0042AA28,00000001,?,00000007,00000009,0000000B), ref: 0040391D
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000,?,00000007,00000009,0000000B), ref: 0040394A
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403979
OpenProcessToken.ADVAPI32(00000000), ref: 00403980
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403995
AdjustTokenPrivileges.ADVAPI32 ref: 004039B8
ExitWindowsEx.USER32(00000002,80040002), ref: 004039DD
ExitProcess.KERNEL32 ref: 00403A00

Strings

TMP, xrefs: 00403755
\Temp, xrefs: 0040371F
.tmp, xrefs: 00403881
1033, xrefs: 00403769
C:\Users\user\AppData\Roaming\Shoved, xrefs: 004036EB, 0040380B, 004038B5, 004038BF
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 0040359C, 004035A2, 00403796
Low, xrefs: 0040373B
~nsu, xrefs: 00403865
C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 00403918
Error launching installer, xrefs: 004037F0
C:\Users\user\AppData\Local\Temp\, xrefs: 004036FD, 00403702, 00403718, 00403724, 00403733, 00403740, 0040374C, 00403754, 0040386A, 0040387B, 00403886, 00403892, 0040389F, 004038AE, 0040395F
UXTHEME, xrefs: 00403515, 0040351A, 00403520
SeShutdownPrivilege, xrefs: 0040398F
C:\Users\user\Desktop, xrefs: 0040388C, 00403891, 004038BE
C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00403816
NSIS Error, xrefs: 00403587
TEMP, xrefs: 0040374D

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Shoved$C:\Users\user\AppData\Roaming\Shoved\Factorist$C:\Users\user\Desktop$C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-3701086598
Opcode ID: ce25b764dac2c90f857618beb49180f73b32db989e1771c1845c73eb86c2c21e
Instruction ID: 633452ec6b1f102921f1489b21fe302f429ce1b90f1906ff0e0a9b5b291269fb
Opcode Fuzzy Hash: ce25b764dac2c90f857618beb49180f73b32db989e1771c1845c73eb86c2c21e
Instruction Fuzzy Hash: 7DD12671600311ABE7207F659D45B3B3AACEB8070AF11443FF581B62D1DBBD89518B6E

Uniqueness

Uniqueness Score: -1.00%

Function 739A1B5F Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E739A1B5F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E739A121B();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E739A121B();
				_t321 = E739A1243();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E739A1311(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E739A158F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x739a2348) & 0x000000ff) * 4 +  &M739A22BC))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E739A122C(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E739A121B();
											 &_v12 = E739A1AE6( &_v12);
											__eax = E739A1470(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E739A1AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E739A1AE6( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x739a405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E739A1AE6( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E739A161D( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E739A1311(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E739A161D( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E739A1311(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E739A1311(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E739A1311(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E739A122C(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E739A1311(_t90) * 4);
					goto L165;
				}
			}

0x739a1b67
0x739a1b6a
0x739a1b6d
0x739a1b70
0x739a1b73
0x739a1b76
0x739a1b79
0x739a1b7b
0x739a1b7e
0x739a1b81
0x739a1b86
0x739a1b89
0x739a1b91
0x739a1b99
0x739a1b9b
0x739a1b9e
0x739a1ba6
0x739a1ba6
0x739a1bab
0x739a1bae
0x00000000
0x00000000
0x739a1bbb
0x739a1bc0
0x739a1bc2
0x739a1c54
0x739a1c54
0x739a1c54
0x739a1c58
0x739a1c5b
0x739a1c5d
0x739a1c7f
0x739a1c81
0x739a1c84
0x739a1c8d
0x739a1c93
0x739a1c95
0x739a1c9b
0x739a1c9b
0x739a1ca1
0x739a1ca4
0x739a1ca4
0x739a1ca7
0x739a1ca7
0x739a1cad
0x739a1caf
0x739a1caf
0x739a1cb1
0x739a1cb4
0x739a1cb7
0x739a1cbd
0x739a1cc3
0x739a1cc6
0x739a1cea
0x739a1ced
0x00000000
0x00000000
0x739a1cf0
0x739a1cf2
0x739a1d00
0x739a1d03
0x739a1d05
0x00000000
0x00000000
0x00000000
0x00000000
0x739a1d07
0x739a1d07
0x739a1d07
0x739a1d0d
0x739a1d0f
0x00000000
0x00000000
0x739a1d11
0x739a1d13
0x739a1d15
0x739a1d17
0x00000000
0x00000000
0x00000000
0x739a1d17
0x739a1d19
0x739a1d1b
0x739a1d1d
0x739a1d1d
0x739a1d23
0x739a1d29
0x739a1d2b
0x739a1d3f
0x739a1d3f
0x739a1d41
0x739a1d2d
0x739a1d33
0x739a1d36
0x739a1d36
0x00000000
0x739a1cc8
0x739a1cc8
0x739a1cc8
0x739a1cc9
0x739a1cd1
0x739a1cd5
0x739a1cdb
0x739a1cdf
0x00000000
0x739a1cdf
0x739a1ccb
0x739a1ccb
0x739a1ccc
0x00000000
0x00000000
0x739a1cce
0x739a1ccf
0x00000000
0x00000000
0x00000000
0x739a1ccf
0x739a1c5f
0x739a1c60
0x739a1c69
0x739a1c6c
0x739a1c79
0x739a1c79
0x739a1c6e
0x739a1c6e
0x739a1d47
0x739a1d4a
0x739a1d4e
0x739a1dc1
0x739a1dc5
0x739a1ba3
0x00000000
0x739a1ba3
0x00000000
0x739a1dc5
0x739a1c5d
0x739a1bc8
0x739a1bcb
0x739a1c2e
0x739a1c31
0x739a1c43
0x739a1c43
0x739a1c46
0x739a1d53
0x739a1d56
0x739a1d56
0x739a1d58
0x739a210e
0x739a2126
0x739a2126
0x739a2129
0x00000000
0x00000000
0x739a2113
0x739a2114
0x739a2117
0x739a211a
0x739a21a4
0x739a21ab
0x739a21b1
0x739a21b5
0x739a1dbc
0x739a1dbd
0x739a1dbd
0x739a1dbe
0x00000000
0x739a1dbe
0x739a2120
0x739a2123
0x739a2123
0x739a212b
0x739a212e
0x739a2198
0x739a1db1
0x739a1db4
0x739a1db7
0x739a1dba
0x739a1dba
0x00000000
0x739a1dba
0x739a2130
0x739a2133
0x739a213a
0x739a213a
0x739a213d
0x739a2141
0x739a2155
0x739a2155
0x739a2158
0x739a215c
0x00000000
0x00000000
0x739a215e
0x739a2162
0x00000000
0x00000000
0x739a2164
0x739a216b
0x739a216b
0x739a2171
0x739a2174
0x739a2190
0x739a2176
0x739a217f
0x739a2182
0x739a2182
0x00000000
0x739a2174
0x739a2143
0x739a2146
0x739a214a
0x00000000
0x00000000
0x739a214c
0x00000000
0x739a214c
0x739a2135
0x739a2138
0x00000000
0x00000000
0x00000000
0x739a2138
0x739a1d5e
0x739a1d5e
0x739a1d5f
0x739a1ea9
0x739a1ea9
0x739a1eb0
0x739a1eb3
0x00000000
0x00000000
0x739a1ec0
0x00000000
0x739a20ab
0x739a20ae
0x739a20b1
0x739a20b1
0x739a20b2
0x739a20b3
0x739a20b6
0x739a20b9
0x739a20bc
0x00000000
0x00000000
0x739a20be
0x739a20be
0x739a20c2
0x739a20da
0x739a20dd
0x739a20e1
0x739a20e7
0x00000000
0x739a20e7
0x739a20c4
0x739a20c4
0x739a20c7
0x00000000
0x00000000
0x739a20c9
0x739a20cc
0x739a20ce
0x739a20cf
0x739a20cf
0x739a20cf
0x739a20d0
0x739a20d3
0x739a20d6
0x739a20d7
0x739a20b1
0x739a20b2
0x739a20b3
0x739a20b6
0x739a20b9
0x739a20bc
0x00000000
0x00000000
0x00000000
0x739a20bc
0x00000000
0x739a1f07
0x00000000
0x00000000
0x739a1f13
0x00000000
0x00000000
0x739a1efa
0x739a1efe
0x739a1f02
0x00000000
0x00000000
0x739a207c
0x739a2080
0x00000000
0x00000000
0x739a2086
0x739a208f
0x739a2096
0x739a209e
0x00000000
0x00000000
0x739a1fe3
0x739a1fe3
0x00000000
0x00000000
0x739a1f1c
0x00000000
0x00000000
0x739a2106
0x00000000
0x00000000
0x739a1feb
0x739a1fed
0x739a1fed
0x00000000
0x00000000
0x739a20f6
0x00000000
0x00000000
0x739a20fa
0x00000000
0x00000000
0x739a2102
0x00000000
0x00000000
0x739a2033
0x739a2035
0x739a2035
0x00000000
0x00000000
0x739a1ffd
0x739a1fff
0x739a1fff
0x00000000
0x00000000
0x739a200f
0x739a2011
0x739a2011
0x00000000
0x00000000
0x739a2041
0x739a2043
0x739a2043
0x00000000
0x00000000
0x739a201a
0x739a201c
0x739a201c
0x00000000
0x00000000
0x739a2021
0x00000000
0x00000000
0x739a20fe
0x739a2108
0x739a2108
0x00000000
0x00000000
0x739a204c
0x739a2050
0x739a2055
0x739a2058
0x739a2059
0x739a205c
0x739a2062
0x739a2062
0x00000000
0x00000000
0x739a20ee
0x00000000
0x00000000
0x739a2025
0x739a2027
0x739a2027
0x00000000
0x00000000
0x739a1f23
0x739a1f23
0x00000000
0x00000000
0x739a203a
0x739a203c
0x739a203c
0x00000000
0x00000000
0x739a1ec7
0x739a1ecd
0x739a1ed0
0x739a1ed2
0x739a1ed2
0x739a1ed5
0x739a1ed9
0x739a1ee6
0x739a1ee8
0x739a1eee
0x739a1eee
0x739a1eee
0x00000000
0x00000000
0x739a1fee
0x739a1fee
0x739a1ff0
0x739a1ff7
0x00000000
0x00000000
0x739a2036
0x739a2036
0x00000000
0x00000000
0x739a2000
0x739a2000
0x739a2002
0x739a2009
0x00000000
0x00000000
0x739a2012
0x739a2012
0x739a2014
0x00000000
0x00000000
0x739a2044
0x739a2044
0x00000000
0x00000000
0x739a201d
0x739a201d
0x00000000
0x00000000
0x739a206a
0x739a206e
0x739a2073
0x739a2076
0x00000000
0x00000000
0x739a2028
0x739a2028
0x739a202b
0x739a202d
0x00000000
0x00000000
0x739a203d
0x739a203d
0x739a2046
0x739a2046
0x739a1f25
0x739a1f25
0x739a1f28
0x739a1f2f
0x739a1f31
0x739a1f33
0x739a1f3a
0x739a1f3d
0x739a1f42
0x739a1f44
0x739a1f46
0x739a1f4a
0x739a1f50
0x739a1f56
0x739a1f56
0x739a1f58
0x739a1f58
0x739a1f59
0x739a1f59
0x739a1f5d
0x739a1f63
0x739a1f65
0x739a1f69
0x739a1f6e
0x739a1f6e
0x739a1f70
0x739a1f70
0x739a1f73
0x739a1f76
0x739a1f7f
0x739a1f85
0x739a1f88
0x739a1f88
0x739a1f8a
0x739a1f8d
0x739a1f93
0x739a1f99
0x739a1f99
0x739a1f9b
0x00000000
0x00000000
0x739a1fa1
0x739a1fa1
0x739a1fa5
0x739a1fac
0x739a1fd0
0x739a1fd0
0x739a1fd4
0x739a1fd6
0x739a1fd9
0x739a1fd9
0x739a1fdc
0x739a1fdc
0x00000000
0x739a1fd4
0x739a1fb1
0x739a1fb4
0x739a1fb4
0x739a1fbb
0x739a1fbd
0x739a1fc0
0x739a1fc7
0x739a1fc8
0x739a1fce
0x739a1fce
0x00000000
0x739a1fce
0x739a1fc2
0x739a1fc5
0x00000000
0x00000000
0x00000000
0x739a1fc5
0x739a1f52
0x739a1f54
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x739a1ec0
0x739a1d65
0x739a1d65
0x739a1d66
0x739a1ea6
0x00000000
0x739a1ea6
0x739a1d6c
0x739a1d6d
0x00000000
0x00000000
0x739a1d73
0x739a1d76
0x739a1e6b
0x739a1e6b
0x739a1e6e
0x739a1e83
0x739a1e85
0x739a1e85
0x739a1e86
0x739a1e89
0x739a1e8c
0x739a1e98
0x739a1e98
0x739a1e98
0x739a1e8e
0x739a1e8e
0x739a1e8e
0x739a1e9e
0x00000000
0x739a1e9e
0x739a1e70
0x739a1e70
0x739a1e71
0x739a1e7f
0x00000000
0x739a1e7f
0x739a1e74
0x739a1e75
0x00000000
0x00000000
0x739a1e7b
0x00000000
0x739a1e7b
0x739a1d7c
0x739a1e67
0x00000000
0x739a1e67
0x739a1d82
0x739a1d82
0x739a1d85
0x739a1dae
0x00000000
0x739a1dae
0x739a1d87
0x739a1d87
0x739a1d8a
0x739a1da4
0x00000000
0x739a1da4
0x739a1d8c
0x739a1d8c
0x739a1d8f
0x739a1d9e
0x00000000
0x739a1d9e
0x739a1d92
0x739a1d93
0x00000000
0x00000000
0x739a1d95
0x00000000
0x739a1c4c
0x739a1c4c
0x739a1c4f
0x00000000
0x739a1c4f
0x739a1c46
0x739a1c33
0x739a1c38
0x00000000
0x00000000
0x739a1c3a
0x739a1c3d
0x00000000
0x00000000
0x00000000
0x739a1c3d
0x739a1bcd
0x739a1bd0
0x739a1c06
0x739a1c09
0x00000000
0x739a1c0f
0x739a1c11
0x739a1c15
0x739a1c1c
0x739a1c23
0x739a1c26
0x739a1c29
0x00000000
0x739a1c29
0x739a1c09
0x739a1bd2
0x739a1bd3
0x739a1bee
0x739a1bf1
0x00000000
0x739a1bf7
0x739a1bf7
0x739a1bfe
0x739a1c01
0x00000000
0x739a1c01
0x739a1bf1
0x739a1bd8
0x00000000
0x739a1bde
0x739a1bde
0x739a1be5
0x00000000
0x739a1be5
0x739a1bd8
0x739a1dd4
0x739a1dd9
0x739a1dde
0x739a1de2
0x739a22b5
0x739a22bb
0x739a1df4
0x739a1df6
0x739a1df7
0x739a21de
0x739a21de
0x739a21e1
0x739a21e4
0x739a2201
0x739a2207
0x739a2209
0x739a220f
0x739a2226
0x739a2226
0x739a2226
0x739a2233
0x739a2239
0x739a223c
0x739a2242
0x739a2244
0x739a2248
0x739a224a
0x739a2251
0x739a2256
0x739a2259
0x739a225b
0x739a2260
0x739a2272
0x739a2272
0x739a2260
0x739a2259
0x739a2248
0x739a2278
0x739a227b
0x739a2285
0x739a228d
0x739a229a
0x739a22a0
0x739a22a3
0x739a21d3
0x739a21d3
0x00000000
0x739a21d3
0x739a22a9
0x739a22af
0x739a22af
0x00000000
0x00000000
0x739a22b1
0x739a22b1
0x739a22b1
0x739a22b1
0x00000000
0x739a227d
0x739a227d
0x739a2283
0x00000000
0x00000000
0x00000000
0x739a2283
0x739a227b
0x739a2212
0x739a2218
0x739a221a
0x739a2220
0x00000000
0x00000000
0x00000000
0x739a2220
0x739a21e6
0x739a21ed
0x739a21f3
0x739a21f9
0x00000000
0x739a21f9
0x739a1dfd
0x739a1dfe
0x739a21bd
0x739a21bd
0x739a21c3
0x739a21c6
0x00000000
0x00000000
0x739a21cd
0x739a21d2
0x00000000
0x739a21d2
0x739a1e05
0x00000000
0x00000000
0x739a1e0b
0x739a1e0b
0x739a1e14
0x739a1e19
0x739a1e1f
0x00000000
0x00000000
0x739a1e25
0x739a1e32
0x739a1e38
0x739a1e42
0x739a1e48
0x739a1e50
0x739a1e60
0x00000000
0x739a1e60

APIs

Part of subcall function 739A121B: GlobalAlloc.KERNELBASE(00000040,?,739A123B,?,739A12DF,00000019,739A11BE,-000000A0), ref: 739A1225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 739A1C8D
lstrcpyW.KERNEL32 ref: 739A1CD5
lstrcpyW.KERNEL32 ref: 739A1CDF
GlobalFree.KERNEL32 ref: 739A1CF2
GlobalFree.KERNEL32 ref: 739A1DD4
GlobalFree.KERNEL32 ref: 739A1DD9
GlobalFree.KERNEL32 ref: 739A1DDE
GlobalFree.KERNEL32 ref: 739A1FC8
lstrcpyW.KERNEL32 ref: 739A2182
GetModuleHandleW.KERNEL32(00000008), ref: 739A2201
LoadLibraryW.KERNEL32(00000008), ref: 739A2212
GetProcAddress.KERNEL32(?,?), ref: 739A226C
lstrlenW.KERNEL32(00000808), ref: 739A2286

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 7a412d57f1061163109b71ac8b02cb720e60fc29e5015870f3ecf1d65509b3a5
Instruction ID: d7d4ec739b5d9c80260c0b389921e4fa445a6187b8023116b48f445f85c3c745
Opcode Fuzzy Hash: 7a412d57f1061163109b71ac8b02cb720e60fc29e5015870f3ecf1d65509b3a5
Instruction Fuzzy Hash: 2422A972D0420ADBDB158FA8C5847EEB7B9FB08395F24472ED1A6A6280D7709680CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00405B23 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405B23(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405DEE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434fa8 =  *0x434fa8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406411(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405D32(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406411(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405ADB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405479(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434fa8 =  *0x434fa8 + 1;
										} else {
											E00405479(0xfffffff1, _t68);
											E004061D7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405B23(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040676F(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405CE6(_t68);
							_t38 = E00405ADB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405479(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405479(0xfffffff1, _t68);
							return E004061D7(_t67, _t68, 0);
						}
						L30:
						 *0x434fa8 =  *0x434fa8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405b2d
0x00405b32
0x00405b3b
0x00405b3e
0x00405b46
0x00405b49
0x00405b4c
0x00405b54
0x00405b56
0x00405b57
0x00000000
0x00405b57
0x00405b62
0x00405b65
0x00405b65
0x00405b65
0x00405b69
0x00405b7c
0x00405b83
0x00405b88
0x00405b8c
0x00405b9c
0x00405b8e
0x00405b94
0x00405b94
0x00405ba1
0x00405ba5
0x00405bb1
0x00405bb7
0x00405bbc
0x00405bc2
0x00405bcd
0x00405bd3
0x00405bd5
0x00405bd8
0x00405c82
0x00405c82
0x00405c86
0x00405c88
0x00405c88
0x00405c88
0x00405c88
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bde
0x00405bde
0x00405bde
0x00405be6
0x00405c06
0x00405c0e
0x00405c13
0x00405c1a
0x00405c35
0x00405c3a
0x00405c3c
0x00405c60
0x00405c3e
0x00405c3e
0x00405c41
0x00405c55
0x00405c43
0x00405c46
0x00405c4e
0x00405c4e
0x00405c41
0x00405c1c
0x00405c22
0x00405c24
0x00405c2a
0x00405c2a
0x00405c24
0x00000000
0x00405c1a
0x00405be8
0x00405bf0
0x00000000
0x00000000
0x00405bf2
0x00405bfa
0x00000000
0x00000000
0x00405bfc
0x00405c04
0x00000000
0x00000000
0x00000000
0x00405c65
0x00405c6d
0x00405c73
0x00405c73
0x00405c7c
0x00000000
0x00405c7c
0x00405ba7
0x00405baf
0x00000000
0x00000000
0x00000000
0x00405b6b
0x00405b6b
0x00405b6d
0x00405c8d
0x00405c8f
0x00405c92
0x00405ce3
0x00405ce3
0x00405ce3
0x00405c94
0x00405c97
0x00405ca2
0x00405ca7
0x00405ca9
0x00000000
0x00000000
0x00405cac
0x00405cb8
0x00405cbd
0x00405cbf
0x00000000
0x00405cda
0x00405cc1
0x00405cc4
0x00000000
0x00000000
0x00405cc9
0x00000000
0x00405cd0
0x00405c99
0x00405c99
0x00000000
0x00405c99
0x00405b73
0x00405b76
0x00000000
0x00000000
0x00000000
0x00405b76

APIs

DeleteFileW.KERNELBASE(?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B4C
lstrcatW.KERNEL32(0042F270,\*.*), ref: 00405B94
lstrcatW.KERNEL32(?,0040A014), ref: 00405BB7
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BBD
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BCD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C6D
FindClose.KERNEL32(00000000), ref: 00405C7C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
\*.*, xrefs: 00405B8E
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00405B23

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3031058461
Opcode ID: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction ID: 64ad53015563eb9bad7c636b6f780160dd5a6986b89d0419f795064a900c36f2
Opcode Fuzzy Hash: d511c024af8fdc6ff868d432ce58507b2a66eda6578bf5e7436de137c1c2de65
Instruction Fuzzy Hash: 8941B330804B18AAEB21AB658D89AAF7778EF41714F24417FF802B11D1D77C5E81DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040676F Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040676F(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}

0x0040677a
0x00406783
0x00000000
0x00406790
0x00406786
0x00000000

APIs

FindFirstFileW.KERNELBASE(7476FAA0,004302B8,0042FA70,00405E37,0042FA70,0042FA70,00000000,0042FA70,0042FA70,7476FAA0,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,7476FAA0,C:\Users\user\AppData\Local\Temp\), ref: 0040677A
FindClose.KERNEL32(00000000), ref: 00406786

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction ID: c6bcef3f8635fd9f58624a192a3d19c105278d067f6c5fe4f3eb3d2c281a06a9
Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
Instruction Fuzzy Hash: F0D012315242206FC3805B386E0C84B7A989F16335B218B36B4AAF21E0D7349C3287BC

Uniqueness

Uniqueness Score: -1.00%

Function 00404DD4 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404DD4(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				int _v32;
				void* _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t191;
				signed int _t203;
				void* _t206;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t249;
				signed int _t251;
				signed char _t252;
				signed char _t260;
				void* _t265;
				void* _t267;
				signed char* _t285;
				signed char _t286;
				long _t288;
				long _t291;
				void* _t298;
				signed int* _t299;
				int _t300;
				long _t301;
				int _t303;
				long _t304;
				int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t316;
				signed char* _t324;
				int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t191 = GetDlgItem(_a4, 0x408);
				_t298 =  *0x434f48;
				_t331 = SendMessageW;
				_v8 = _t191;
				_v36 = _t298;
				_v24 =  *0x434f14 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t307 = _a16;
					} else {
						_a12 = 0;
						_t307 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t307;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t307 + 4)) == 0x408) {
							if(( *0x434f1d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t242 + 0x5c)); // executed
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe39) {
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t307 = 0 | _a8 != 0x00000413;
								_t249 = E00404D22(_v8, _a8 != 0x413);
								_v20 = _t249;
								if(_t249 >= 0) {
									_t100 = _t298 + 8; // 0x8
									_t307 = _t249 * 0x818 + _t100;
									_t251 =  *_t307;
									if((_t251 & 0x00000010) == 0) {
										if((_t251 & 0x00000040) == 0) {
											_t252 = _t251 ^ 0x00000001;
										} else {
											_t260 = _t251 ^ 0x00000080;
											if(_t260 >= 0) {
												_t252 = _t260 & 0x000000fe;
											} else {
												_t252 = _t260 | 0x00000001;
											}
										}
										 *_t307 = _t252;
										E0040117D(_v20);
										_a8 = 0x40f;
										_a12 = _v20 + 1;
										_a16 =  !( *0x434f1c) >> 0x00000008 & 0x00000001;
									}
								}
								goto L41;
							}
							_t307 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42d24c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42d260;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f80 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f1d & 0x00000001) != 0) {
									_t329 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t329);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t329);
								}
								goto L93;
							} else {
								E004011EF(_t307, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404DA2();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t307, 0, 0);
									_v36 =  *0x42d260;
									_t206 =  *0x434f48;
									_v64 = 0xf030;
									_v20 = 0;
									if( *0x434f4c <= 0) {
										L86:
										if( *0x434f0c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404CDD(0x3ff, 0xfffffffb, E00404CF5(5));
										}
										goto L90;
									}
									_t299 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v20 * 4));
										if(_t212 != 0) {
											_t309 =  *_t299;
											_v72 = _t212;
											_v76 = 8;
											if((_t309 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t299[4]);
												_t299[0] = _t299[0] & 0x000000fe;
											}
											if((_t309 & 0x00000040) == 0) {
												_t216 = (_t309 & 0x00000001) + 1;
												if((_t309 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t309 & 0x00000008) + (_t216 << 0x0000000b | _t309 & 0x00000008) | _t309 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t309 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v20 = _v20 + 1;
										_t299 =  &(_t299[0x206]);
									} while (_v20 <  *0x434f4c);
									goto L86;
								} else {
									_t300 = E004012E2( *0x42d260);
									E00401299(_t300);
									_t227 = 0;
									_t307 = 0;
									if(_t300 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t307, 0);
										_a16 = _t300;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t227 * 4)) != 0) {
											_t307 = _t307 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t300);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t301 = SendMessageW(_v12, 0x150, _t237, 0);
							if(_t301 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t301 * 4)) == 0) {
								_t301 = 0x20;
							}
							E00401299(_t301);
							SendMessageW(_a4, 0x420, 0, _t301);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x434f80 = _a4;
					_t303 = 2;
					_v32 = 0;
					_v20 = _t303;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f4c << 2);
					_t265 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_v16 = _t265;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E004053ED);
					_t267 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t267;
					ImageList_AddMasked(_t267, _v16, 0xff00ff);
					SendMessageW(_v8, 0x1109, _t303,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v16);
					_t304 = 0;
					do {
						_t273 =  *((intOrPtr*)(_v24 + _t304 * 4));
						if( *((intOrPtr*)(_v24 + _t304 * 4)) != 0) {
							if(_t304 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040644E(_t304, 0, _t331, 0, _t273)), _t304);
						}
						_t304 = _t304 + 1;
					} while (_t304 < 0x21);
					_t305 = _a16;
					_push( *((intOrPtr*)(_t305 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404367(_a4);
					_push( *((intOrPtr*)(_t305 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404367(_a4);
					_t306 = 0;
					_v16 = 0;
					if( *0x434f4c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t324 = _v36 + 8;
						_v28 = _t324;
						do {
							_t285 =  &(_t324[0x10]);
							if( *_t285 != 0) {
								_v64 = _t285;
								_t286 =  *_t324;
								_v88 = _v16;
								_t316 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t316;
								_v44 = _t306;
								_v72 = _t286 & _t316;
								if((_t286 & 0x00000002) == 0) {
									if((_t286 & 0x00000004) == 0) {
										_t288 = SendMessageW(_v8, 0x1132, 0,  &_v88); // executed
										 *( *0x42d260 + _t306 * 4) = _t288;
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t291 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v32 = 1;
									 *( *0x42d260 + _t306 * 4) = _t291;
									_v16 =  *( *0x42d260 + _t306 * 4);
								}
							}
							_t306 = _t306 + 1;
							_t324 =  &(_v28[0x818]);
							_v28 = _t324;
						} while (_t306 <  *0x434f4c);
						if(_v32 != 0) {
							L20:
							if(_v20 != 0) {
								E0040439C(_v8);
								_t298 = _v36;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040439C(_v12);
								L93:
								return E004043CE(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404df2
0x00404df8
0x00404dfa
0x00404e00
0x00404e06
0x00404e1c
0x00404e1f
0x00404e22
0x00405055
0x0040505c
0x00405070
0x0040505e
0x00405060
0x00405063
0x00405064
0x0040506b
0x0040506b
0x0040507c
0x0040508a
0x0040508d
0x004050a3
0x0040511b
0x0040511e
0x00405120
0x0040512a
0x00405138
0x00405138
0x0040513a
0x00405144
0x0040514a
0x0040514d
0x00405168
0x0040514f
0x00405159
0x00405159
0x0040514d
0x00405144
0x00000000
0x0040511e
0x004050a8
0x004050b3
0x004050b8
0x004050bf
0x004050c6
0x004050c9
0x004050d1
0x004050d1
0x004050d5
0x004050d9
0x004050dd
0x004050f0
0x004050df
0x004050df
0x004050e6
0x004050ec
0x004050e8
0x004050e8
0x004050e8
0x004050e6
0x004050f6
0x004050f8
0x00405100
0x00405108
0x00405118
0x00405118
0x004050d9
0x00000000
0x004050c9
0x004050aa
0x004050b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040516b
0x0040516b
0x00405172
0x004051e3
0x004051ea
0x004051f6
0x004051f6
0x004051ff
0x00405201
0x00405208
0x0040520b
0x0040520b
0x00405211
0x00405218
0x0040521b
0x0040521b
0x00405221
0x00405227
0x0040522d
0x0040522d
0x0040523a
0x0040539a
0x004053a1
0x004053be
0x004053c4
0x004053d6
0x004053d6
0x00000000
0x00405240
0x00405242
0x00405247
0x0040524c
0x00405251
0x00405253
0x00405253
0x00405254
0x00405255
0x00405257
0x00405257
0x0040525f
0x004052a0
0x004052a2
0x004052b2
0x004052b5
0x004052ba
0x004052c1
0x004052c4
0x00405366
0x0040536e
0x00405376
0x00405376
0x00405384
0x00405395
0x00405395
0x00000000
0x00405384
0x004052ca
0x004052cd
0x004052d3
0x004052d8
0x004052da
0x004052dc
0x004052e2
0x004052e9
0x004052ee
0x004052f5
0x004052f8
0x004052f8
0x004052ff
0x0040530b
0x0040530f
0x00405311
0x00405311
0x00405301
0x00405303
0x00405303
0x00405331
0x0040533d
0x0040534c
0x0040534c
0x0040534e
0x00405351
0x0040535a
0x00000000
0x00405261
0x0040526c
0x0040526f
0x00405274
0x00405276
0x0040527a
0x0040528a
0x00405294
0x00405296
0x00405299
0x00000000
0x00000000
0x00000000
0x00000000
0x0040527c
0x0040527c
0x00405282
0x00405284
0x00405284
0x00405285
0x00405286
0x00000000
0x0040527c
0x0040525f
0x0040523a
0x0040517a
0x00000000
0x00405190
0x0040519a
0x0040519f
0x00000000
0x00000000
0x004051b1
0x004051b6
0x004051c2
0x004051c2
0x004051c4
0x004051d3
0x004051d5
0x004051d9
0x004051dc
0x00000000
0x004051dc
0x0040517a
0x00404e28
0x00404e2d
0x00404e37
0x00404e38
0x00404e41
0x00404e50
0x00404e5b
0x00404e61
0x00404e6f
0x00404e84
0x00404e89
0x00404e94
0x00404e9d
0x00404eb2
0x00404ec3
0x00404ed0
0x00404ed0
0x00404ed5
0x00404edb
0x00404edd
0x00404ee0
0x00404ee5
0x00404eea
0x00404eec
0x00404eec
0x00404f0c
0x00404f0c
0x00404f0e
0x00404f0f
0x00404f14
0x00404f1a
0x00404f1e
0x00404f23
0x00404f2b
0x00404f2f
0x00404f34
0x00404f39
0x00404f41
0x00404f44
0x00405014
0x00405027
0x00000000
0x00404f4a
0x00404f4d
0x00404f50
0x00404f53
0x00404f53
0x00404f59
0x00404f62
0x00404f65
0x00404f69
0x00404f6c
0x00404f6f
0x00404f78
0x00404f81
0x00404f84
0x00404f87
0x00404f8a
0x00404fc8
0x00404feb
0x00404ff3
0x00404fca
0x00404fd9
0x00404fd9
0x00404f8c
0x00404f8f
0x00404f9d
0x00404fa7
0x00404faf
0x00404fb6
0x00404fc1
0x00404fc1
0x00404f8a
0x00404ff9
0x00404ffa
0x00405006
0x00405006
0x00405012
0x0040502d
0x00405030
0x0040504d
0x00405052
0x00000000
0x00405032
0x00405037
0x00405040
0x004053d8
0x004053ea
0x004053ea
0x00405030
0x00000000
0x00405012
0x00404f44

APIs

GetDlgItem.USER32 ref: 00404DEB
GetDlgItem.USER32 ref: 00404DF8
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E44
LoadImageW.USER32 ref: 00404E5B
SetWindowLongW.USER32 ref: 00404E75
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E89
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E9D
SendMessageW.USER32(?,00001109,00000002), ref: 00404EB2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EBE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404ED0
DeleteObject.GDI32(00000110), ref: 00404ED5
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404F00
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404F0C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FA7
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FD7

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FEB
GetWindowLongW.USER32(?,000000F0), ref: 00405019
SetWindowLongW.USER32 ref: 00405027
ShowWindow.USER32(?,00000005), ref: 00405037
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405138
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040519A
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004051AF
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051D3
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051F6
ImageList_Destroy.COMCTL32(?), ref: 0040520B
GlobalFree.KERNEL32 ref: 0040521B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405294
SendMessageW.USER32(?,00001102,?,?), ref: 0040533D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040534C
InvalidateRect.USER32(?,00000000,00000001), ref: 00405376
ShowWindow.USER32(?,00000000), ref: 004053C4
GetDlgItem.USER32 ref: 004053CF
ShowWindow.USER32(00000000), ref: 004053D6

Strings

N, xrefs: 00405073
M, xrefs: 00404F8F
, xrefs: 004053AE

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 5598e06cb67788476fc8c7d334527adddce2bdc5635884aaeb3921699d952b74
Instruction ID: d580a4fcaa5169941c29ca465f5867fc490570c71858173d192e260bc12e7e27
Opcode Fuzzy Hash: 5598e06cb67788476fc8c7d334527adddce2bdc5635884aaeb3921699d952b74
Instruction Fuzzy Hash: 9C127A70D00609EFDB20DFA5CD45AAEBBB5FB84314F10817AEA10BA2E1C7798941DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403E8E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403E8E(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x42d250 = _t37;
					if(_t118 == 0x110) {
						 *0x434f08 = _t128;
						 *0x42d264 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t94;
						E00404367(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x433ee8); // executed
						 *0x433ecc = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x434f40;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E004043B3(0x40b);
						while(1) {
							_t39 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x434f44;
							if(_t41 ==  *0x434f44) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E0040644E(_t119, _t128, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404367(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404367(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x434fac - _t136;
							_v32 = _t51;
							if( *0x434fac != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100); // executed
							E00404389(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x42b230, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x434fac - _t136;
							if( *0x434fac == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E0040439C();
							E00406411(0x42d268, E00403E6F());
							E0040644E(0x42d268, _t128, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x42d268); // executed
							_push(_t136);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8); // executed
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t128,  *( *(_t133 + 4) * 4 + "&E@"), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x433ed8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404367(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L61;
									}
									ShowWindow( *0x433ed8, 8);
									E004043B3(0x405);
									goto L58;
								}
								__eflags =  *0x434fac - _t136;
								if( *0x434fac != _t136) {
									goto L61;
								}
								__eflags =  *0x434fa0 - _t136;
								if( *0x434fa0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t128,  *0x42ba38);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x42d248, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E004043CE(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x433ed8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x434fac - _t136;
										if( *0x434fac == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x42ba38 = 1;
											L21:
											_push(0x78);
											L22:
											E00404340();
											goto L26;
										}
										E0040140B(_t130);
										 *0x42ba38 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _a12;
						L58:
						if( *0x42f268 == _t136 &&  *0x433ed8 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x42f268 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403e97
0x00403ea0
0x00403fe1
0x00403fe5
0x00403fe9
0x00403feb
0x00403ff0
0x00403ffb
0x00404006
0x0040400b
0x0040400d
0x0040400f
0x00404012
0x00404017
0x00404025
0x00404032
0x00404039
0x00404039
0x0040403a
0x0040403a
0x0040403f
0x00404045
0x0040404c
0x00404052
0x00404054
0x00404094
0x00404099
0x0040409e
0x0040409e
0x004040a3
0x004040ac
0x004040ae
0x004040b3
0x004040b9
0x004040bd
0x004040bd
0x004040c2
0x004040c8
0x00000000
0x00000000
0x004040d3
0x004040d9
0x00000000
0x00000000
0x004040e2
0x004040ea
0x004040ef
0x004040f2
0x004040f8
0x004040fd
0x00404100
0x00404106
0x0040410b
0x0040410e
0x00404114
0x0040411c
0x00404122
0x00404128
0x0040412c
0x00404133
0x00404133
0x00404133
0x0040413d
0x0040414f
0x0040415b
0x00404160
0x0040416a
0x00404170
0x00404172
0x00404177
0x00404174
0x00404174
0x00404174
0x00404187
0x0040419f
0x004041a1
0x004041a7
0x004041bc
0x004041a9
0x004041b2
0x004041b4
0x004041b4
0x004041c2
0x004041d3
0x004041e9
0x004041f0
0x004041f6
0x004041fa
0x004041ff
0x00404201
0x00000000
0x00404207
0x00404207
0x00404209
0x00000000
0x00000000
0x0040420f
0x00404213
0x00404238
0x0040423e
0x00404244
0x00404246
0x00000000
0x00000000
0x0040426c
0x00404272
0x00404274
0x00404279
0x00000000
0x00000000
0x0040427f
0x00404282
0x00404285
0x0040429c
0x004042a8
0x004042c1
0x004042c7
0x004042cb
0x004042d0
0x004042d6
0x00000000
0x00000000
0x004042e0
0x004042eb
0x00000000
0x004042eb
0x00404215
0x0040421b
0x00000000
0x00000000
0x00404221
0x00404227
0x00000000
0x00000000
0x00000000
0x0040422d
0x00404201
0x004042f8
0x00404304
0x0040430b
0x00000000
0x00404056
0x00404056
0x00404059
0x0040408c
0x0040408c
0x0040408e
0x00000000
0x00000000
0x00000000
0x0040408e
0x0040405b
0x0040405f
0x00404064
0x00404066
0x00000000
0x00000000
0x00404076
0x0040407e
0x00000000
0x00404084
0x00403eb2
0x00403eb2
0x00403eb6
0x00403ebb
0x00403eca
0x00403eca
0x00403ed3
0x00403edc
0x00403ee7
0x00403ee7
0x00403ef3
0x00403f0f
0x00403f12
0x00403f25
0x00403f2b
0x00403fce
0x00000000
0x00403fd7
0x00403f31
0x00403f3e
0x00403f40
0x00403f42
0x00403f61
0x00403f61
0x00403f64
0x00403f69
0x00403f6c
0x00403f7c
0x00403f7d
0x00403f7f
0x00403fb5
0x00403fc8
0x00000000
0x00403fc8
0x00403f81
0x00403f87
0x00403fa0
0x00403fa5
0x00403fa7
0x00000000
0x00000000
0x00403fa9
0x00403f95
0x00403f95
0x00403f97
0x00403f97
0x00000000
0x00403f97
0x00403f8a
0x00403f8f
0x00000000
0x00403f8f
0x00403f6e
0x00403f74
0x00000000
0x00000000
0x00403f76
0x00000000
0x00403f76
0x00403f66
0x00000000
0x00403f66
0x00403f4c
0x00403f53
0x00403f59
0x00403f5b
0x00000000
0x00000000
0x00000000
0x00403f5b
0x00403f17
0x00000000
0x00403ef5
0x00403efb
0x00403f05
0x00404311
0x00404317
0x00404324
0x0040432a
0x0040432a
0x00404334
0x00000000
0x00404334
0x00403ef3

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403ECA
ShowWindow.USER32(?), ref: 00403EE7
DestroyWindow.USER32 ref: 00403EFB
SetWindowLongW.USER32 ref: 00403F17
GetDlgItem.USER32 ref: 00403F38
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F4C
IsWindowEnabled.USER32(00000000), ref: 00403F53
GetDlgItem.USER32 ref: 00404001
GetDlgItem.USER32 ref: 0040400B
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404025
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404076
GetDlgItem.USER32 ref: 0040411C
ShowWindow.USER32(00000000,?), ref: 0040413D
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040414F
EnableWindow.USER32(?,?), ref: 0040416A
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404180
EnableMenuItem.USER32 ref: 00404187
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040419F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041B2
lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 004041DC
SetWindowTextW.USER32(?,0042D268), ref: 004041F0
ShowWindow.USER32(?,0000000A), ref: 00404324

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID:
API String ID: 3906175533-0
Opcode ID: 107ad6bdab59df7c6dc1e53992544a2f2aa45a341ad300a22c315677171673b9
Instruction ID: cb6f0490afd218b95da4ce8f8645ed9f2a2dc6dad26b5163c80864a666f03042
Opcode Fuzzy Hash: 107ad6bdab59df7c6dc1e53992544a2f2aa45a341ad300a22c315677171673b9
Instruction Fuzzy Hash: 40C1AFB1600305EFDB206F61EE85E2B7A68FB85706B54053EFA81B11F0CB799841DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403AE0(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f14;
				_t22 = E00406806(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E004062DF(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E004062DF(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406358(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403DB6(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Roaming\\Shoved";
				 *0x434fa0 =  *0x434f1c & 0x00000020;
				 *0x434fbc = 0x10000;
				if(E00405DEE(_t90, L"C:\\Users\\jones\\AppData\\Roaming\\Shoved") != 0) {
					L16:
					if(E00405DEE(_t98, _t86) == 0) {
						E0040644E(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403DB6(_t78, __eflags);
							__eflags =  *0x434fc0;
							if( *0x434fc0 != 0) {
								_t33 = E0040554C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5); // executed
							_t39 = E00406796("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406796("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403E8E, 0); // executed
							E00403A30(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E004062DF(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f58 + _t78 * 2,  *0x434f58 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405D13(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406411(_t86, E00405CE6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405D32(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403ae6
0x00403aef
0x00403af6
0x00403af8
0x00403b0c
0x00403b1e
0x00403b27
0x00403b30
0x00403b37
0x00403b3c
0x00403b43
0x00403b56
0x00403b56
0x00403b61
0x00403afa
0x00403b05
0x00403b05
0x00403b66
0x00403b70
0x00403b79
0x00403b7e
0x00403b8f
0x00403c21
0x00403c29
0x00403c32
0x00403c32
0x00403c48
0x00403c4e
0x00403c5c
0x00403cdd
0x00403ce5
0x00403cef
0x00403cf4
0x00403cfa
0x00403d84
0x00403d89
0x00403d8b
0x00403da7
0x00000000
0x00403da7
0x00403d8d
0x00403d93
0x00403d9b
0x00403d9b
0x00000000
0x00403d93
0x00403d08
0x00403d13
0x00403d18
0x00403d1a
0x00403d21
0x00403d21
0x00403d2c
0x00403d34
0x00403d36
0x00403d38
0x00403d41
0x00403d44
0x00403d4a
0x00403d4a
0x00403d69
0x00403d7a
0x00000000
0x00403d7f
0x00403ce7
0x00403ce9
0x00000000
0x00403c5e
0x00403c5e
0x00403c6a
0x00403c74
0x00403c7a
0x00403c7f
0x00403c8e
0x00403dac
0x00403dac
0x00000000
0x00403dac
0x00403c9d
0x00403cd8
0x00000000
0x00403cd8
0x00403b95
0x00403b95
0x00403b98
0x00403b9a
0x00000000
0x00000000
0x00403ba8
0x00403bba
0x00403bbf
0x00403bc8
0x00000000
0x00000000
0x00403bce
0x00403bd0
0x00403bdd
0x00403bdd
0x00403be6
0x00403bec
0x00403c14
0x00403c1c
0x00000000
0x00403bfe
0x00403bff
0x00403c08
0x00403c0e
0x00403c0f
0x00000000
0x00403c0f
0x00403c0a
0x00403c0c
0x00000000
0x00000000
0x00000000
0x00403c0c
0x00403bec

APIs

Part of subcall function 00406806: GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
Part of subcall function 00406806: GetProcAddress.KERNEL32(00000000,?), ref: 00406833

lstrcatW.KERNEL32(1033,0042D268), ref: 00403B61
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Shoved,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,7476FAA0), ref: 00403BE1
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Shoved,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403BF4
GetFileAttributesW.KERNEL32(Call), ref: 00403BFF
LoadImageW.USER32 ref: 00403C48

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

RegisterClassW.USER32 ref: 00403C85
SystemParametersInfoW.USER32 ref: 00403C9D
CreateWindowExW.USER32 ref: 00403CD2
ShowWindow.USER32(00000005,00000000), ref: 00403D08
GetClassInfoW.USER32 ref: 00403D34
GetClassInfoW.USER32 ref: 00403D41
RegisterClassW.USER32 ref: 00403D4A
DialogBoxParamW.USER32 ref: 00403D69

Strings

1033, xrefs: 00403B00, 00403B5C
RichEdit20W, xrefs: 00403D2C, 00403D32
RichEdit, xrefs: 00403D3B
C:\Users\user\AppData\Roaming\Shoved, xrefs: 00403B70, 00403B78, 00403C1B, 00403C21, 00403C31
.DEFAULT\Control Panel\International, xrefs: 00403B4C
Call, xrefs: 00403BA8, 00403BB1, 00403BBF, 00403C0E, 00403C14
_Nb, xrefs: 00403C64, 00403CCC
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00403AE4
RichEd20, xrefs: 00403D0E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE5
Control Panel\Desktop\ResourceLocale, xrefs: 00403B14
.exe, xrefs: 00403BEE
RichEd32, xrefs: 00403D1C

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Shoved$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2943403132
Opcode ID: 431378757b75bd2c66e5e870ba5a75b2eb037ba1df85b121b0fccf1d7af94065
Instruction ID: ef062d508cd4fc62497976b4bc03dd7eae2cd9e8a178e807e7972486bae2ade7
Opcode Fuzzy Hash: 431378757b75bd2c66e5e870ba5a75b2eb037ba1df85b121b0fccf1d7af94065
Instruction Fuzzy Hash: 9A61B8711447006EE320AF66AE46F2B3A6CEBC5B4AF40453FF941B61E1DB7D9901CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403015 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E00403015(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\jones\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe";
				 *0x434f10 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", 0x400);
				_t89 = E00405F07(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\jones\\Desktop";
				E00406411(L"C:\\Users\\jones\\Desktop", _t91);
				E00406411(L"CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", E00405D32(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402FB1(1);
					if( *0x434f18 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E0040347D( *0x434f18 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E0040324C(); // executed
						if(_t57 == _v24) {
							 *0x434f14 = _t94;
							 *0x434f1c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f20 =  *0x434f20 + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405EC2(0x434f40, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E0040347D( *0x41ea18);
					if(E00403467( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f18) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403467(0x416a18, _t90) == 0) {
							E00402FB1(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x434f18 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402FB1(0);
							}
							goto L20;
						}
						E00405EC2( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x41ea18; // 0x37c9e
							 *0x434fc0 =  *0x434fc0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x434f18 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t24 = _t80 - 4; // 0x40a2dc
								_t93 = _t24;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x42aa24) {
							_v12 = E004068F3(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x0040301d
0x00403020
0x00403023
0x00403026
0x0040302c
0x0040303d
0x00403042
0x00403055
0x0040305a
0x0040305d
0x00403063
0x00000000
0x00403065
0x00403070
0x00403076
0x00403087
0x0040308e
0x00403096
0x0040309b
0x0040309d
0x00403188
0x0040318a
0x00403196
0x00000000
0x00000000
0x0040319b
0x004031bf
0x004031c4
0x004031ca
0x004031d5
0x004031da
0x004031dd
0x004031de
0x004031df
0x004031e1
0x004031e9
0x00403200
0x00403208
0x0040320d
0x0040320f
0x0040320f
0x00403217
0x00403217
0x0040321a
0x0040321b
0x0040321b
0x0040321e
0x00403220
0x00403220
0x0040322a
0x00403230
0x0040323e
0x00000000
0x00403243
0x00000000
0x004031e9
0x004031a3
0x004031b5
0x00000000
0x00000000
0x00000000
0x00000000
0x004030a3
0x004030a8
0x004030ad
0x004030b1
0x004030b8
0x004030bf
0x004030c1
0x004030c1
0x004030cc
0x004031f4
0x004031eb
0x00000000
0x004031eb
0x004030d9
0x00403159
0x0040315d
0x00403162
0x00000000
0x00403159
0x004030e2
0x004030e7
0x004030ef
0x00403115
0x0040311b
0x00403124
0x0040312a
0x0040312f
0x00403135
0x00000000
0x00000000
0x0040313f
0x00403147
0x0040314a
0x0040314a
0x0040314f
0x00403151
0x00403151
0x00000000
0x00000000
0x00000000
0x00000000
0x0040313f
0x00403163
0x00403169
0x00403175
0x00403175
0x00403178
0x0040317e
0x0040317e
0x00403186
0x00000000
0x00403186

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

GetFileSize.KERNEL32(00000000,00000000,CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
Inst, xrefs: 004030FA
Error launching installer, xrefs: 00403065
soft, xrefs: 00403103
C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00403015
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe, xrefs: 00403082
Null, xrefs: 0040310C

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3386813841
Opcode ID: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction ID: 352fdba277142773567f3d30b5bba7b1c47688a28dd7517ec43723b707c69b17
Opcode Fuzzy Hash: a52360a1b04fecb28cdb34ea46c0a5e0142df37db4d5eb2ecb020a06199e7e0c
Instruction Fuzzy Hash: CF51D331904204ABDB109FA5DD85B9E7EACEB48356F24803BF910BA2D1C77C9F418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040644E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E0040644E(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x433edc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x434f58 + _t43 * 2;
				_t44 = 0x432ea0;
				_t110 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E0040644E(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x432ea0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x436000;
							E00406411(_t110, (_t106 << 0xb) + 0x436000);
						} else {
							E00406358(_t110,  *0x434f08);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004066C0(_t110);
						}
						goto L43;
					}
					_t86 =  *0x434f0c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x434fa4;
						if( *0x434fa4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x434f04;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x434f08,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x434f08,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E004062DF( *0x434f58, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f58 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E0040644E(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E00406411(_a4, _t44);
			}

0x0040644e
0x0040644e
0x0040644e
0x00406454
0x00406459
0x0040646a
0x0040646a
0x00406472
0x00406473
0x00406474
0x00406475
0x00406478
0x00406480
0x00406482
0x0040649b
0x0040649e
0x0040649e
0x0040669a
0x0040669a
0x004066a0
0x00000000
0x00000000
0x004064ae
0x004064b4
0x00000000
0x00000000
0x004064bc
0x004064bd
0x004064bf
0x004064c3
0x004064c6
0x00406687
0x00406695
0x00406698
0x00406698
0x00406689
0x0040668c
0x0040668f
0x00406691
0x00406691
0x00000000
0x00406687
0x004064cc
0x004064cf
0x004064de
0x004064e5
0x004064ef
0x004064f3
0x004064f6
0x004064f9
0x004064fe
0x00406503
0x00406507
0x0040650a
0x0040662a
0x0040662e
0x00406661
0x00406665
0x0040666a
0x0040666f
0x0040666f
0x00406674
0x00406675
0x0040667a
0x0040667d
0x00406680
0x00000000
0x00406680
0x00406630
0x00406633
0x00406636
0x0040664b
0x00406652
0x00406638
0x0040663f
0x0040663f
0x0040665a
0x0040665d
0x00406622
0x00406623
0x00406623
0x00000000
0x0040665d
0x00406510
0x00406518
0x0040651a
0x0040651b
0x00406534
0x00406534
0x0040653b
0x0040653b
0x00406542
0x00406546
0x00406546
0x00406547
0x00406549
0x00406584
0x00406587
0x00406597
0x0040659a
0x004065a2
0x004065a8
0x004065a8
0x00406605
0x00406605
0x00406607
0x00000000
0x00000000
0x004065ac
0x004065b3
0x004065b4
0x004065b6
0x004065d0
0x004065de
0x004065e4
0x004065e6
0x00406601
0x00406601
0x00406601
0x00000000
0x00406601
0x004065ec
0x004065f7
0x004065fd
0x004065ff
0x00000000
0x00000000
0x00000000
0x004065ff
0x004065b8
0x004065bb
0x00000000
0x00000000
0x004065ca
0x004065cc
0x004065ce
0x00000000
0x00000000
0x00000000
0x004065ce
0x00000000
0x00406605
0x0040658f
0x00000000
0x0040654b
0x00406569
0x0040656e
0x00406572
0x00406612
0x00406612
0x00406615
0x0040661d
0x0040661d
0x00000000
0x00406615
0x0040657a
0x00406609
0x00406609
0x0040660d
0x00000000
0x00000000
0x0040660f
0x00000000
0x0040660f
0x00406549
0x0040651d
0x00406522
0x00000000
0x00000000
0x00406524
0x00406527
0x00000000
0x00000000
0x00406529
0x0040652c
0x00000000
0x0040652e
0x0040652e
0x00000000
0x0040652e
0x0040652c
0x004066a6
0x004066b1
0x004066bd
0x004066bd
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040658F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 004065A2
SHGetSpecialFolderLocation.SHELL32(004054B0,00425A20,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 004065DE
SHGetPathFromIDListW.SHELL32(00425A20,Call), ref: 004065EC
CoTaskMemFree.OLE32(00425A20), ref: 004065F7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040661D
lstrlenW.KERNEL32(Call,00000000,0042C248,?,004054B0,0042C248,00000000), ref: 00406675

Strings

Call, xrefs: 00406478, 00406553, 0040655A, 0040655E, 00406578, 00406579, 0040658E, 004065A1, 004065BD, 004065E8, 0040661C, 00406622, 0040663E, 00406651, 0040666E, 00406674, 00406680, 004066B3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040655F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406617

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: d2ae35223b5679837e7cae1169c661c9243fab95fc342e3086787ca7bf20af92
Instruction ID: cd0f296135d024e5542a1133132ccafb23cc3a0c8fe84acec88ebf75cbd5934e
Opcode Fuzzy Hash: d2ae35223b5679837e7cae1169c661c9243fab95fc342e3086787ca7bf20af92
Instruction Fuzzy Hash: 9C614471A00111AADF208F54DD41BBE37A5AF44314F26853FE943B62D0EB3E5AA2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040324C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040324C(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E0040347D( *0x434f78 + _t62);
				}
				if(E00403467( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403467(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403467(0x41ea20, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405FB9(_a8, 0x41ea20, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403467(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406961(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40ce60; // 0x425a20
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fd4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00405479(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40ce60; // 0x425a20
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405FB9(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403257
0x0040325b
0x0040325e
0x00403263
0x00403265
0x00403265
0x0040326c
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327e
0x00403283
0x0040328e
0x0040328e
0x004032a0
0x00403455
0x00403455
0x00000000
0x004032a6
0x004032aa
0x00403402
0x00403445
0x00403447
0x00403447
0x00403453
0x0040345a
0x0040345d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403453
0x00403407
0x00000000
0x00000000
0x00403409
0x0040340c
0x0040340f
0x00403412
0x00403414
0x00403414
0x00403424
0x00000000
0x00000000
0x0040342b
0x00403432
0x004033fc
0x004033fc
0x00403457
0x00403457
0x00000000
0x00403457
0x00403434
0x00403437
0x0040343e
0x00000000
0x00000000
0x00000000
0x00403440
0x00000000
0x0040340c
0x004032b6
0x004032b8
0x004032bf
0x004032c6
0x004032c6
0x004032cd
0x004032d5
0x004032df
0x004032e4
0x004032ec
0x004032f6
0x004032f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004032ff
0x004032ff
0x004032ff
0x00403307
0x00403309
0x00403309
0x0040331a
0x00000000
0x00000000
0x00403320
0x00403323
0x00403329
0x0040332f
0x0040332f
0x0040333a
0x00403340
0x00403345
0x0040334c
0x0040334f
0x00000000
0x00000000
0x00403355
0x0040335b
0x0040335d
0x00403366
0x00403368
0x00403399
0x0040339f
0x004033ab
0x004033b0
0x004033b0
0x004033b5
0x004033f0
0x00000000
0x00000000
0x00000000
0x004033b7
0x004033bb
0x004033d2
0x004033d7
0x004033da
0x004033dd
0x004033e0
0x004033e4
0x00000000
0x00000000
0x00000000
0x004033ea
0x004033c4
0x004033cb
0x00000000
0x00000000
0x004033cd
0x00000000
0x004033cd
0x004033b5
0x004033f8
0x00000000
0x004033f8
0x00000000
0x004032ff

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040335D
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403386
wsprintfW.USER32 ref: 00403399

Strings

A, xrefs: 0040330C
*B, xrefs: 00403277
ZB, xrefs: 0040333A, 00403355, 004033D2
A, xrefs: 00403416
... %d%%, xrefs: 00403393

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%
API String ID: 551687249-3856725213
Opcode ID: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction ID: 934ec796fb5923f126773143cacc3683187fa16e161fba292e3b1b9e9ada072f
Opcode Fuzzy Hash: 6aa008098f4ef09d38d5c59ecde741492560208fda71d4d747c9693988f45b69
Instruction Fuzzy Hash: 44518C71D00219DBCB11DF65EA84B9E7FA8AF01756F10817BEC10BB2C1C7789A40CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402D3E(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405D5D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405CE6(E00406411(_t81, L"C:\\Users\\jones\\AppData\\Roaming\\Shoved\\Factorist")), ??);
				} else {
					E00406411();
				}
				E004066C0(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040676F(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405EE2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405F07(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405479(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434fa8;
						goto L32;
					} else {
						E00406411("C:\Users\jones\AppData\Local\Temp\nso5721.tmp", _t83);
						E00406411(_t83, _t81);
						E0040644E(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp\nso5721.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406411(_t83, "C:\Users\jones\AppData\Local\Temp\nso5721.tmp");
						_t64 = E00405A77("C:\Users\jones\AppData\Local\Temp\nso5721.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434fa8 =  &( *0x434fa8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405479();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405479(0xffffffea,  *(_t86 - 8));
				 *0x434fd4 =  *0x434fd4 + 1;
				_t45 = E0040324C( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fd4 =  *0x434fd4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040644E(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405A77();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402925
0x00402925
0x00402bc2
0x00402bc5
0x00402bc5
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402bcb
0x00402bcb
0x00402bcb
0x00401867
0x00401867
0x00401868
0x00401493
0x00402395
0x00402395
0x00402395
0x00401865
0x0040185e
0x00402bcd
0x00402bd1
0x00402bd1
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402390
0x00000000
0x00402390
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Shoved\Factorist,?,?,00000031), ref: 004017D5

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Strings

C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nso5721.tmp, xrefs: 00401821, 0040183F

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nso5721.tmp$C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll$C:\Users\user\AppData\Roaming\Shoved\Factorist$Call
API String ID: 1941528284-1879069618
Opcode ID: 898ce4c5b6941fe7d419b72eda9361d5450072f2bf0dde35a2139be17a2a5618
Instruction ID: 3db4763bd34d6378758f0dea6881e25fdbecc032a5989a9cd586940b12637d70
Opcode Fuzzy Hash: 898ce4c5b6941fe7d419b72eda9361d5450072f2bf0dde35a2139be17a2a5618
Instruction Fuzzy Hash: 13419471500118BACF10BFA5CD85DAE7A79EF45368B20423FF512B21E1DB3C89919A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405948 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405948(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405953
0x00405957
0x0040595a
0x00405960
0x00405964
0x00405968
0x00405970
0x00405977
0x0040597d
0x00405984
0x0040598b
0x00405993
0x00405995
0x00000000
0x00405995
0x0040599f
0x004059a6
0x004059bc
0x00000000
0x00000000
0x00000000
0x004059be
0x004059c2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B
GetLastError.KERNEL32 ref: 0040599F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004059B4
GetLastError.KERNEL32 ref: 004059BE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040596E
C:\Users\user\Desktop, xrefs: 00405948

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 2a6702a12d34049f0ed6173726a665453ef4396ebd7eb618d4b77e108423b323
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: 720108B1C10219EADF019BA4D948BEFBFB8EF04314F00803AD544B6180D77896488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406796 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406796(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004067ad
0x004067b6
0x004067b8
0x004067b8
0x004067bc
0x004067cf
0x004067c9
0x004067c9
0x004067c9
0x004067e8
0x004067fc
0x00406803

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
wsprintfW.USER32 ref: 004067E8
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Strings

%s%S.dll, xrefs: 004067E2
UXTHEME, xrefs: 0040679F
\, xrefs: 004067BE

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 2cc1ede9ae180511fd9dc47da010e879a2503ad1dada0433f9440106b5f2728e
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 86F09670510119A7DB24BF64DE4DF9B366CAB00709F11447AA646F21D0EB7C9A68CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F36 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405F36(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405f3c
0x00405f42
0x00405f43
0x00405f43
0x00405f48
0x00405f49
0x00405f4c
0x00405f51
0x00405f54
0x00405f5e
0x00405f6b
0x00405f6f
0x00405f77
0x00000000
0x00000000
0x00405f7b
0x00000000
0x00405f7d
0x00405f7d
0x00405f7d
0x00405f80
0x00405f83
0x00405f83
0x00405f86
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405F54
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034C3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F), ref: 00405F6F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3B
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 00405F36
nsa, xrefs: 00405F43

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-74043666
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 6280ba3094977af7574bcd42248b285f756f81412eced5037130b5adcb3d4edb
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 55F03676B00204BFDB10CF55DD05E9FB7ADEB95750F10803AEE44F7150E6B499548B58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402E41(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E0040627E(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402E41(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406806(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402e4c
0x00402e55
0x00402e5e
0x00402e6a
0x00402e73
0x00402e7d
0x00402ea2
0x00402ea8
0x00402ead
0x00402eae
0x00402ede
0x00402eb7
0x00402eb9
0x00402f09
0x00402f0c
0x00000000
0x00402f12
0x00402ec8
0x00402ecd
0x00402ecf
0x00000000
0x00000000
0x00402ed7
0x00402edc
0x00402edd
0x00402edd
0x00402eea
0x00402ef2
0x00402ef9
0x00000000
0x00402f22
0x00000000
0x00402f01
0x00402e8d
0x00402ea0
0x00000000
0x00000000
0x00000000
0x00402ea0
0x00402f28

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction ID: 81522b48e592499502658fb4677f1b0f70c545d6b701466da39e5ccb8a756ba0
Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
Instruction Fuzzy Hash: 0F215A72500109BBEF129F90CE89EEF7A7DEB54344F110076B945B11A0E7B48E54AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 739A1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E739A1777(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x739a506c = _a8;
				 *0x739a5070 = _a16;
				 *0x739a5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x739a5048, E739A15B1);
				_push(1); // executed
				_t37 = E739A1B5F(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E739A239E(_t54);
					}
					_push(_t54);
					E739A23E0(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E739A25B5();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E739A15C6(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E739A25B5();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E739A25B5();
							_t37 = GlobalFree(E739A1272(E739A15B4(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E739A2578(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E739A153D( *0x739a5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E739A2D83(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E739A2AF8(_t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E739A2770(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x739a1777
0x739a1777
0x739a1777
0x739a1784
0x739a178c
0x739a1799
0x739a17a7
0x739a17aa
0x739a17ac
0x739a17b1
0x739a17b6
0x739a18d8
0x739a18d8
0x739a17bc
0x739a17c0
0x739a17c3
0x739a17c8
0x739a17c9
0x739a17ca
0x739a17d0
0x739a17d6
0x739a1806
0x739a180d
0x739a1831
0x739a187e
0x739a187f
0x739a1833
0x739a1833
0x739a1834
0x739a183d
0x739a183e
0x739a1848
0x739a184b
0x739a1850
0x739a1857
0x739a1857
0x739a185d
0x739a185e
0x739a1864
0x739a186a
0x739a1877
0x739a1878
0x739a187b
0x739a180f
0x739a180f
0x739a1810
0x739a1825
0x739a1825
0x739a1889
0x739a188c
0x739a1899
0x739a18a0
0x739a18a8
0x739a18ab
0x739a18ab
0x739a18a8
0x739a18b8
0x739a18c0
0x739a18c5
0x739a18b8
0x739a18cd
0x00000000
0x739a18cf
0x00000000
0x739a18d0
0x739a18cd
0x739a17da
0x739a17dd
0x739a17fb
0x00000000
0x00000000
0x739a17fe
0x739a1803
0x739a1803
0x739a1805
0x00000000
0x739a1805
0x739a17df
0x739a17e0
0x739a17e8
0x739a17e9
0x00000000
0x739a17e9
0x739a17e2
0x739a17e3
0x739a17f1
0x00000000
0x739a17f1
0x739a17e6
0x00000000
0x00000000
0x00000000
0x739a17e6

APIs

Part of subcall function 739A1B5F: GlobalFree.KERNEL32 ref: 739A1DD4
Part of subcall function 739A1B5F: GlobalFree.KERNEL32 ref: 739A1DD9
Part of subcall function 739A1B5F: GlobalFree.KERNEL32 ref: 739A1DDE

GlobalFree.KERNEL32 ref: 739A1825
FreeLibrary.KERNEL32(?), ref: 739A18AB
GlobalFree.KERNEL32 ref: 739A18D0

Part of subcall function 739A239E: GlobalAlloc.KERNEL32(00000040,?), ref: 739A23CF

Part of subcall function 739A2770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,739A17F6,00000000), ref: 739A2840

Part of subcall function 739A15C6: wsprintfW.USER32 ref: 739A15F4

Strings

, xrefs: 739A18B1

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 2b3f763df8081baaa824fb89969f600713f4f5e579294bec7ede32e4b6296239
Instruction ID: 258ddea313d4fa5481150bd13e4fbfa1ed482e5b0cbee47d9ec11b91569e17ae
Opcode Fuzzy Hash: 2b3f763df8081baaa824fb89969f600713f4f5e579294bec7ede32e4b6296239
Instruction Fuzzy Hash: 9341B172504304EBDB109F7C9888B9637BCBF04395F184375E94BAE1C6DBB88184D762

Uniqueness

Uniqueness Score: -1.00%

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402482(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402D3E(2);
				_t20 = E00402D3E(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402DCE(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402D3E(0x23);
						_t24 = lstrlenW(0x40b5f0) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5f0 = E00402D1C(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E0040324C( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f0, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f0, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
				return 0;
			}

0x00402482
0x00402482
0x00402482
0x00402482
0x00402485
0x0040248c
0x00402496
0x00402499
0x004024a2
0x004024a9
0x004024b0
0x004024b3
0x004024b9
0x004024c3
0x004024c7
0x004024d2
0x004024d2
0x004024d9
0x004024e3
0x004024e9
0x004024ec
0x004024ec
0x004024f0
0x004024fc
0x004024fc
0x0040250d
0x00402515
0x00402517
0x00402517
0x0040251a
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nso5721.tmp,00000023,00000011,00000002), ref: 004024CD
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nso5721.tmp,00000000,00000011,00000002), ref: 0040250D
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso5721.tmp,00000000,00000011,00000002), ref: 004025F5

Strings

C:\Users\user\AppData\Local\Temp\nso5721.tmp, xrefs: 004024BE, 004024CC, 004024E3, 004024F7, 00402502

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nso5721.tmp
API String ID: 2655323295-2929068254
Opcode ID: 9e720649662cdc413bd8d4d136e207e08986e5d50d4fc5c41021c63d7149cc75
Instruction ID: 7edbd774ff12736b5c68cca40ff53a8b2e2340a941a441eef078c8e93cf21856
Opcode Fuzzy Hash: 9e720649662cdc413bd8d4d136e207e08986e5d50d4fc5c41021c63d7149cc75
Instruction Fuzzy Hash: 1C11AF71E00108BEDB00AFA5CE49AAEBBB8EF44314F20443AF504B71D1D7B89D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402D3E(0xfffffff0);
				_t17 = E00405D91(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405D13(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004059C5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E004059E2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405948( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406411(L"C:\\Users\\jones\\AppData\\Roaming\\Shoved\\Factorist",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022e9
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70,7476FAA0,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405948: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040598B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Shoved\Factorist,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Shoved\Factorist
API String ID: 1892508949-196838919
Opcode ID: 8bd5528b3ed13611c2729177aa216aa5dfd0a4f92ec19a6671f3c1d709377d7f
Instruction ID: d42e9ae115e382ed64a017e661d14a8570f8e1ce7a364987760287960e16c3b9
Opcode Fuzzy Hash: 8bd5528b3ed13611c2729177aa216aa5dfd0a4f92ec19a6671f3c1d709377d7f
Instruction Fuzzy Hash: B411DD31504110EBCF206FA5CD4199F3BB0EF25369B28493BEA51B22F1DA3E49819A5E

Uniqueness

Uniqueness Score: -1.00%

Function 004053ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004053ED(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404DA2();
						}
						L11:
						_t9 = CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404D22(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004043B3(0x413);
				return 0;
			}

0x004053f1
0x004053fb
0x00405417
0x00405439
0x0040543c
0x00405442
0x0040544c
0x0040544d
0x0040544f
0x00405455
0x00405455
0x0040545f
0x0040546d
0x00000000
0x0040546d
0x00405424
0x0040545c
0x0040545c
0x00000000
0x0040545c
0x00405430
0x00405432
0x00000000
0x00405432
0x00405401
0x00000000
0x00000000
0x00405408
0x00000000

APIs

IsWindowVisible.USER32 ref: 0040541C
CallWindowProcW.USER32(?,?,?,?), ref: 0040546D

Part of subcall function 004043B3: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043C5

Strings

, xrefs: 004053FD

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction ID: 5278ea034fccd8c5818adddfb220a11f4cbf18c481ac084eeec191c980f5e464
Opcode Fuzzy Hash: 26e100c8e936244900aacf90f380f9ed614629df6b7f9272593e4765ff02ca63
Instruction Fuzzy Hash: F9012C71200609AFDF216F11DD80BDB3B66EB84756F504036FB01752E2C77A8C92DA6E

Uniqueness

Uniqueness Score: -1.00%

Function 004062DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004062DF(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E0040627E(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004062ed
0x004062ef
0x00406307
0x0040630c
0x00406311
0x0040634f
0x0040634f
0x00406313
0x00406325
0x00406330
0x00406336
0x00406341
0x00000000
0x00000000
0x00406341
0x00406355

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,0042C248,00000000,?,?,Call,?,?,0040656E,80000002), ref: 00406325
RegCloseKey.ADVAPI32(?,?,0040656E,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C248), ref: 00406330

Strings

Call, xrefs: 004062E6

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 844154995e22508991f9c2085a3ddc533437a0a8a5a4e2329c4a16b7f523fd8f
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: CF017172500209EBDF218F55CD05EDB3BA9EB54394F05803AFD5592150E738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004059FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059FA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405a03
0x00405a23
0x00405a2b
0x00405a30
0x00000000
0x00405a36
0x00405a3a

APIs

CreateProcessW.KERNELBASE ref: 00405A23
CloseHandle.KERNEL32(?), ref: 00405A30

Strings

Error launching installer, xrefs: 00405A0D

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction ID: 9b609aa4dbda1b40da6c9694c56aee9f908f129f2491f8ac19b90d9f5f8e4f4b
Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
Instruction Fuzzy Hash: 19E0B6B4600209BFEB109FA4EE49F7B7AACEB04708F004565BD50F6191DBB8EC158A7C

Uniqueness

Uniqueness Score: -1.00%

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D0(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x434fd8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x434fa8 =  *0x434fa8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402D3E(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406875(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405479(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce50, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403A80( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d0
0x004020d0
0x004020d5
0x004020dc
0x0040219b
0x004022e9
0x004022e9
0x00402bc2
0x00402bc5
0x00402bd1
0x00402bd1
0x004020eb
0x004020f5
0x004020f8
0x00402108
0x0040210c
0x00402112
0x00402114
0x00402117
0x00402194
0x00000000
0x00402194
0x00402119
0x00402124
0x00402128
0x00402168
0x0040212a
0x0040212d
0x00402130
0x0040215c
0x00402132
0x00402135
0x0040213e
0x00402140
0x00402140
0x0040213e
0x00402130
0x00402170
0x00402189
0x00402189
0x00000000
0x00402170
0x004020fb
0x00402103
0x00402106
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040210C
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 78ecc952e10d997ac4934020b2af859247c5bfa8e95875e99b3b14e24fd3f8e7
Instruction ID: ec066b6349dd7fa10fed5d852794e64c7c96c86c32cb5d354c2886168094fa20
Opcode Fuzzy Hash: 78ecc952e10d997ac4934020b2af859247c5bfa8e95875e99b3b14e24fd3f8e7
Instruction Fuzzy Hash: A7219931500104EBCF10AFA5CE49A9E7A71AF44354F34413BF515B51E0CBBD9D829A1D

Uniqueness

Uniqueness Score: -1.00%

Function 00402596 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402596(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402D7E(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D1C(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff);
					}
					_t22[0x3ff] = _t16;
					_push(_t24); // executed
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00402596
0x00402596
0x00402596
0x0040259b
0x004025a2
0x004025a4
0x004025ac
0x004025af
0x004025b2
0x00402925
0x004025b8
0x004025c0
0x004025c3
0x004025dc
0x004025e2
0x004025e4
0x004025e6
0x004025e6
0x004025c5
0x004025c9
0x004025c9
0x004025ed
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C9
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025DC
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso5721.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 7e2c7bfb651a1333adc8038a86be957ed4d1f5f45db318ed8e83b607926505dd
Instruction ID: a8e4f27cd85b524b938bc80bb312ff0c07efa3365ef466736b2b8963d993c2c8
Opcode Fuzzy Hash: 7e2c7bfb651a1333adc8038a86be957ed4d1f5f45db318ed8e83b607926505dd
Instruction Fuzzy Hash: 92017C71A11504BBEB149FA49E48AAFB77CEF40348F10403AF501B61C0D7B85E40866D

Uniqueness

Uniqueness Score: -1.00%

Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402522(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402D7E(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402D3E(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E00406358(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35); // executed
					RegCloseKey(); // executed
				}
				 *0x434fa8 =  *0x434fa8 +  *(_t37 - 4);
				return 0;
			}

0x00402522
0x00402522
0x00402527
0x0040252e
0x00402530
0x00402537
0x0040253a
0x00402925
0x00402540
0x00402543
0x0040255e
0x0040258e
0x0040258e
0x00402591
0x00402560
0x00402564
0x0040257d
0x00402584
0x00402587
0x00402566
0x00402569
0x00402574
0x004025ed
0x00000000
0x00000000
0x00000000
0x00402569
0x00402564
0x004025f4
0x004025f5
0x004025f5
0x00402bc5
0x00402bd1

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso5721.tmp,00000000,00000011,00000002), ref: 004025F5

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3b8b1e0f684718fab1855b03e1fec85b6eef462078d4d3cdd57d81b9b6cfbe6e
Instruction ID: af493c066ab36ea8406690c3d62a07c4fb2ed7115def6bf4d18b774961f6c260
Opcode Fuzzy Hash: 3b8b1e0f684718fab1855b03e1fec85b6eef462078d4d3cdd57d81b9b6cfbe6e
Instruction Fuzzy Hash: CD116A71910209EBCF14DFA4CA589AEB774FF04354B20843BE402B62C0D3B88A44DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f50;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction ID: f4b073df4371d13d5e47470e1508f1e4354d1df05d26164fcbedf483487d3525
Opcode Fuzzy Hash: c5196716ed2294a5b6683282f685902d4e4d655c798d26bf32279206d375a943
Instruction Fuzzy Hash: 4D01F4316242209FE7094B389D05B6A3698E710319F14823FF855F65F1EA78DC029B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040242C(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402DFC(_t20, E00402D3E(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402D7E(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402D3E(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040242c
0x0040242c
0x0040242f
0x00402432
0x0040246e
0x00402473
0x00000000
0x00402434
0x00402436
0x0040243b
0x0040243f
0x00402925
0x00402925
0x00402445
0x00402455
0x00402457
0x00402475
0x00402477
0x00000000
0x0040247d
0x00402477
0x0040243f
0x00402bc5
0x00402bd1

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040244E
RegCloseKey.ADVAPI32(00000000), ref: 00402457

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 047f31a594ad1d9cf841833c20fb6c4a455a6b04475d38f7d1b8b40705fc536e
Instruction ID: 85a5e790261a6a1b6dedd729f081e1fb82c2b0bf937f90b5091167455713ef2b
Opcode Fuzzy Hash: 047f31a594ad1d9cf841833c20fb6c4a455a6b04475d38f7d1b8b40705fc536e
Instruction Fuzzy Hash: 5AF06232A00120ABDB10AFA89A4DAAE73A5AF44314F16043FE651B71C1DAFC5D01563D

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: ba2a3c5e5c5e776cdf5630d67b2c53ff1ecd8db0fb1778bda333e84ab02891b0
Instruction ID: 5d2b838fc97348560faaf82546316e7c29db3ee13ca796b15ebd5141c346d58e
Opcode Fuzzy Hash: ba2a3c5e5c5e776cdf5630d67b2c53ff1ecd8db0fb1778bda333e84ab02891b0
Instruction Fuzzy Hash: 6FE09A32A042009FD704EFA4AE484AEB3B4EB90325B20097FE401F20C1CBB85C008A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00406806 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406806(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406796(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040680e
0x00406811
0x00406818
0x00406820
0x0040682c
0x00000000
0x00406833
0x00406823
0x0040682a
0x00000000
0x0040683b
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403537,0000000B), ref: 00406818
GetProcAddress.KERNEL32(00000000,?), ref: 00406833

Part of subcall function 00406796: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004067AD
Part of subcall function 00406796: wsprintfW.USER32 ref: 004067E8
Part of subcall function 00406796: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067FC

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: c5f632ab0fd527bf8e68b4786b10832766149758e6d8e51d9ba55f9b7eb13659
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: 30E0863350421056E211AA746E44C7B77A89F99750307843EF956F2080D738DC359679

Uniqueness

Uniqueness Score: -1.00%

Function 00405F07 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405F07(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405f0b
0x00405f18
0x00405f2d
0x00405f33

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EE2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405ee7
0x00405eed
0x00405ef2
0x00405efb
0x00405efb
0x00405f04

APIs

GetFileAttributesW.KERNELBASE(?,?,00405AE7,?,?,00000000,00405CBD,?,?,?,?), ref: 00405EE7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405EFB

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 11a24c4abb36edafbee48cc994cb64d758a4bce1ebd63d049f972be52462095a
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: C7D0C9725045316BC2102728AF0889BBB55EB643717054A35F9A5A22B0CB314C528A98

Uniqueness

Uniqueness Score: -1.00%

Function 004059C5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059C5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004059cb
0x004059d3
0x00000000
0x004059d9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034B8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 004059CB
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059D9

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 1e5fcd6d8aa83e7c3539c134ce858d200345c8ad9b438ef6e258ac5dd368824a
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 27C04C71204541EEE6505B20AE09B177A909B50751F26843A6147F01A0DA388455E93D

Uniqueness

Uniqueness Score: -1.00%

Function 739A2AF8 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E739A2AF8(intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t69;
				intOrPtr _t70;
				signed int _t75;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t79;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				intOrPtr _t91;
				intOrPtr _t92;

				if( *0x739a5050 != 0 && E739A2A3B(_a4) == 0) {
					 *0x739a5054 = _t91;
					if( *0x739a504c != 0) {
						_t91 =  *0x739a504c;
					} else {
						E739A2A35();
						L739A3020();
						 *0x739a504c = _t91;
					}
				}
				_t28 = E739A2A69(_a4);
				_t92 = _t91 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E739A2A5D();
					_t70 = _a4;
					_t77 =  *0x739a5058;
					 *((intOrPtr*)(_t29 + _t70)) = _t77;
					 *0x739a5058 = _t70;
					E739A2A57();
					_t33 = CreateFileA(??, ??, ??, ??, ??, ??, ??); // executed
					 *0x739a5034 = _t33;
					 *0x739a5038 = _t77;
					if( *0x739a5050 != 0 && E739A2A3B( *0x739a5058) == 0) {
						 *0x739a504c = _t92;
						_t92 =  *0x739a5054;
					}
					_t78 =  *0x739a5058;
					_a4 = _t78;
					 *0x739a5058 =  *((intOrPtr*)(E739A2A5D() + _t78));
					_t37 = E739A2A49(_t78);
					_pop(_t79);
					if(_t37 != 0) {
						_t40 = E739A2A69(_t79);
						if(_t40 > 0) {
							_push(_t40);
							_push(E739A2A74() + _a4 + _v8);
							_push(E739A2A7E());
							if( *0x739a5050 <= 0 || E739A2A3B(_a4) != 0) {
								_pop(_t86);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t86 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t87);
								_pop(_t49);
								 *0x739a504c =  *0x739a504c +  *(_t87 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t105 =  *0x739a5058;
					if( *0x739a5058 == 0) {
						 *0x739a504c = 0;
					}
					E739A2AA2(_t105, _a4,  *0x739a5034,  *0x739a5038);
					return _a4;
				}
				_push(E739A2A74() + _a4);
				_t56 = E739A2A7A();
				_v8 = _t56;
				_t75 = _t28;
				_push(_t67 + _t56 * _t75);
				_t69 = E739A2A86();
				_t85 = E739A2A82();
				_t88 = E739A2A7E();
				_t61 = _t75;
				if( *((intOrPtr*)(_t88 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t69 + _t61)));
				}
				_push( *((intOrPtr*)(_t85 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x739a2b08
0x739a2b19
0x739a2b26
0x739a2b3a
0x739a2b28
0x739a2b28
0x739a2b2d
0x739a2b32
0x739a2b32
0x739a2b26
0x739a2b43
0x739a2b48
0x739a2b4e
0x739a2b92
0x739a2b92
0x739a2b97
0x739a2b9c
0x739a2ba2
0x739a2ba4
0x739a2baa
0x739a2bb7
0x739a2bb9
0x739a2bbe
0x739a2bcb
0x739a2bde
0x739a2be4
0x739a2bea
0x739a2beb
0x739a2bf1
0x739a2bfd
0x739a2c03
0x739a2c0b
0x739a2c0c
0x739a2c0f
0x739a2c1a
0x739a2c1c
0x739a2c28
0x739a2c2e
0x739a2c36
0x739a2c62
0x739a2c63
0x739a2c65
0x739a2c69
0x739a2c69
0x739a2c70
0x739a2c46
0x739a2c46
0x739a2c47
0x739a2c55
0x739a2c5e
0x739a2c5e
0x739a2c36
0x739a2c1a
0x739a2c72
0x739a2c79
0x739a2c7b
0x739a2c7b
0x739a2c94
0x739a2ca2
0x739a2ca2
0x739a2b59
0x739a2b5a
0x739a2b5f
0x739a2b63
0x739a2b68
0x739a2b7c
0x739a2b7d
0x739a2b7e
0x739a2b80
0x739a2b85
0x739a2b87
0x739a2b87
0x739a2b8a
0x739a2b90
0x00000000

APIs

CreateFileA.KERNELBASE(00000000), ref: 739A2BB7

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f04fdd309a1b08882ebd4eb55667f456f66c267eb3c64ecfa92205f133371b2c
Instruction ID: 0811984230101f44f63697fdc1c1078f37c0def2cf27d90886667ab7bf088630
Opcode Fuzzy Hash: f04fdd309a1b08882ebd4eb55667f456f66c267eb3c64ecfa92205f133371b2c
Instruction Fuzzy Hash: FD417FB2604218FFE720AF69D984BDA37B9EF05358F308775E48DEA190D6359440DB93

Uniqueness

Uniqueness Score: -1.00%

Function 004023AA Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023AA(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402D3E(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402D3E(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402D3E(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402D3E(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023aa
0x004023aa
0x004023ac
0x004023b0
0x004023b3
0x004023b8
0x004023bd
0x004023c6
0x004023c6
0x004023cb
0x004023d4
0x004023d4
0x004023e1
0x004015b4
0x004015b6
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E1

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction ID: 2036f094aef4cf8fcdd3ce51ebd23e93268b82f075a1b79732874c3119e34eec
Opcode Fuzzy Hash: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
Instruction Fuzzy Hash: 30E086319001246ADB303AF15E8DEBF21586F44345B14093FFA12B62C2DAFC0C42467D

Uniqueness

Uniqueness Score: -1.00%

Function 004062AC Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AC(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062b6
0x004062bf
0x004062d5
0x00000000
0x004062d5
0x004062c3
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 004062D5

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction ID: 3317d7e482e8079663a6db4a97809581e22c1b07b88153a27e00a08cc0e2c803
Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
Instruction Fuzzy Hash: 52E0ECB2020109BEEF19AF90DD1ADBB371DEB04350F01492EF916E4091E6B5A930AA74

Uniqueness

Uniqueness Score: -1.00%

Function 00405F8A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F8A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405f8e
0x00405f9e
0x00405fa6
0x00000000
0x00405fad
0x00000000
0x00405faf

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: f93b0abb86e743badb4163669300e0f642a0e5fa5e5e92c65fa389833edf0ca2
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: D7E08C3220121AEBEF11AE618C04EEBBB6CFF01360F004832F910E6240D238E8218BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FB9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405fbd
0x00405fcd
0x00405fd5
0x00000000
0x00405fdc
0x00000000
0x00405fde

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403430,000000FF,0041EA20,?,0041EA20,?,?,00000004,00000000), ref: 00405FCD

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: c6b158df49e6f5968e08b93a39371abef257cf80c9060b8b5a86bf4d0676d75d
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 1FE0EC3225065AABDF109E669C04EEB7B6CEB053A0F004837FA55E3190D635E821DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 739A29DF Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x739a5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x739a505c, 4, 0x40, 0x739a504c); // executed
					 *0x739a505c = 0xc2;
					 *0x739a504c = 0;
					 *0x739a5054 = 0;
					 *0x739a5068 = 0;
					 *0x739a5058 = 0;
					 *0x739a5050 = 0;
					 *0x739a5060 = 0;
					 *0x739a505e = 0;
				}
				return 1;
			}

0x739a29e8
0x739a29ed
0x739a29fd
0x739a2a05
0x739a2a0c
0x739a2a11
0x739a2a16
0x739a2a1b
0x739a2a20
0x739a2a25
0x739a2a2a
0x739a2a2a
0x739a2a32

APIs

VirtualProtect.KERNELBASE(739A505C,00000004,00000040,739A504C), ref: 739A29FD

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a5319d2f6022a43e1b3ac383e5f855526088fab6682e02a8622b4e72573d84d9
Instruction ID: d86513c47f09b2fd88de2c666489bb63cd7ac174d2a0b3692a208a41518486c8
Opcode Fuzzy Hash: a5319d2f6022a43e1b3ac383e5f855526088fab6682e02a8622b4e72573d84d9
Instruction Fuzzy Hash: 0EF074F27482A0FEC350EF2A84447063BE0AB48204B25873AA1DCDE242E3744444EF91

Uniqueness

Uniqueness Score: -1.00%

Function 004023EC Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023EC(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402D3E(1);
				 *(_t21 - 0x10) = E00402D3E(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x3ff, E00402D3E(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023ec
0x004023f3
0x004023f6
0x00402406
0x0040241d
0x00402423
0x00401751
0x004028f3
0x004028fa
0x004028fa
0x00402bc5
0x00402bd1

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0040241D

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
Instruction ID: 84a3be15b77accaad8f92e5f77cb7225a0a8ac318d6267ea73d07213f2db240d
Opcode Fuzzy Hash: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
Instruction Fuzzy Hash: D3E04F30800219AADB00AFA0CE09EAE3769BF00300F10093AF520BB0D1E7FC89409749

Uniqueness

Uniqueness Score: -1.00%

Function 0040627E Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040627E(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406203(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00406288
0x0040628f
0x004062a2
0x00000000
0x004062a2
0x00406293
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,0040630C,0042C248,00000000,?,?,Call,?), ref: 004062A2

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 30c71471ac55a0486040fafebf39dce1c160f5eedd86b0188f7d98683811911a
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 45D0123254020DBBEF11AF90ED01FAB375DAB08351F01442AFE16A4091D775D530A724

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402D3E(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6b1ab73fd8eff285d918823dc1170c24360cfb5c9671e6d3e0b8c01c80aedfbb
Instruction ID: a93de1ea602b80332484b308aebd2b3b1e31a5c4c7fa674852030dd18b7254c5
Opcode Fuzzy Hash: 6b1ab73fd8eff285d918823dc1170c24360cfb5c9671e6d3e0b8c01c80aedfbb
Instruction Fuzzy Hash: AAD01772B041049BCB00DFA9AA48A9E73B0EF64328B308537D121F21D0D6F899419A29

Uniqueness

Uniqueness Score: -1.00%

Function 0040347D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040347D(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040348b
0x00403491

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A3D(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405a3d
0x00405a42
0x00405a46
0x00405a4c
0x00405a52

APIs

ShellExecuteExW.SHELL32(?), ref: 00405A4C

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040439C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040439C(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x434f08, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004043aa
0x004043b0

APIs

SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction ID: f9270ce27bc2d5d500308faa7c43699bdd9cec228278350af1c7ef3a72e6c056
Opcode Fuzzy Hash: ea04ea026f55595d688d74c1d87789f1c1942be7a89ca5b988cfd0b6025de892
Instruction Fuzzy Hash: 4FB01235181A00FBDE514B00DE09F857E62F7E4701F058038F341240F0CBB200A4DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402D3E(_t15);
				E00405479(0xffffffeb, _t7);
				_t9 = E004059FA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004068B1(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406358( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x00402925
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405479: lstrlenW.KERNEL32(0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
Part of subcall function 00405479: lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
Part of subcall function 00405479: lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
Part of subcall function 00405479: SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
Part of subcall function 00405479: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
Part of subcall function 00405479: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
Part of subcall function 00405479: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Part of subcall function 004059FA: CreateProcessW.KERNELBASE ref: 00405A23
Part of subcall function 004059FA: CloseHandle.KERNEL32(?), ref: 00405A30

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 004068B1: WaitForSingleObject.KERNEL32(?,00000064), ref: 004068C2
Part of subcall function 004068B1: GetExitCodeProcess.KERNEL32 ref: 004068E4

Part of subcall function 00406358: wsprintfW.USER32 ref: 00406365

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 2c7cace8b40396dc1007721c752aece60cf73a9644ca7ded5cab49998381d192
Instruction ID: 70f87f17d48a981753e2349e7fd5e29e0bd5cf5a9d75e43b79cc9d2baa006ef6
Opcode Fuzzy Hash: 2c7cace8b40396dc1007721c752aece60cf73a9644ca7ded5cab49998381d192
Instruction Fuzzy Hash: 05F09632905111EBCB10AFA589849DE72B4DF00314B25453BE552B31D0C7BC0D419A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D1C(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402bc5
0x00402bd1

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f5bdca1a155d9e49db802200bf92d6fca10bad1793e20f26dfe4708f9af3b7d1
Instruction ID: 48b894a6b6243f55f811ea40c192212472d129cd546c7318a3a4cbaf3ee199e0
Opcode Fuzzy Hash: f5bdca1a155d9e49db802200bf92d6fca10bad1793e20f26dfe4708f9af3b7d1
Instruction Fuzzy Hash: EFD05E73A201009BC700DFB8BE8545E73B8EA903293304837D442E20D1E6B898418628

Uniqueness

Uniqueness Score: -1.00%

Function 739A121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E739A121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x739a506c +  *0x739a506c); // executed
				return _t3;
			}

0x739a1225
0x739a122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,739A123B,?,739A12DF,00000019,739A11BE,-000000A0), ref: 739A1225

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: bada414781ede8d186198270e0fd30b80b67cb24a6047e01fb38a9e0d9b2c7d4
Instruction ID: a0bca1d33e7095d4d51d390d7e4d51002b4d893ca46297b331a52b6a8563bd46
Opcode Fuzzy Hash: bada414781ede8d186198270e0fd30b80b67cb24a6047e01fb38a9e0d9b2c7d4
Instruction Fuzzy Hash: 99B012B2B08020EFEF40AB65CC06F343254EF00301F154120F70CC8281C1604800E534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004055B8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004055B8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040554C, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040644E(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434fac == _t156) {
								E00405479( *((intOrPtr*)( *0x42c240 + 0x34)), _t156);
							}
							E00404340(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404340(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004043CE(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E0040439C(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f14;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E0040439C( *0x433ed0);
				 *0x433ed4 = E00404CF5(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404367(_a4);
				if(( *0x434f1c & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f1c & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040439C( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f1c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004055c0
0x004055c6
0x004055d0
0x004055d3
0x00405769
0x0040578d
0x0040578d
0x004057a0
0x004057be
0x004057c0
0x004057c8
0x0040581e
0x00405822
0x00000000
0x00000000
0x00405824
0x0040582a
0x00000000
0x00000000
0x00405834
0x0040583c
0x0040583f
0x00405941
0x00000000
0x00405941
0x0040584e
0x00405859
0x00405862
0x0040586d
0x00405870
0x00405879
0x0040587f
0x00405882
0x00405882
0x0040589a
0x004058a3
0x004058a6
0x004058ad
0x004058b4
0x004058bc
0x004058bc
0x004058d3
0x004058d3
0x004058da
0x004058e0
0x004058ec
0x004058f3
0x004058fc
0x004058fe
0x00405901
0x00405910
0x00405913
0x00405919
0x0040591a
0x00405920
0x00405921
0x00405922
0x0040592a
0x00405935
0x0040593b
0x0040593b
0x00000000
0x0040589a
0x004057d0
0x00405800
0x00405808
0x00405813
0x00405813
0x00405819
0x00000000
0x00405819
0x004057d4
0x004057de
0x00000000
0x004057a2
0x004057a8
0x004057e3
0x00000000
0x004057ec
0x004057b1
0x004057b6
0x004057b9
0x00000000
0x004057b9
0x004057a0
0x004055d9
0x004055dd
0x004055e5
0x004055e9
0x004055ec
0x004055ef
0x004055f2
0x004055f5
0x004055f6
0x004055f7
0x00405610
0x00405613
0x0040561d
0x0040562c
0x00405634
0x0040563c
0x00405641
0x00405644
0x00405650
0x00405659
0x00405662
0x00405684
0x0040568a
0x0040569b
0x004056a0
0x004056ae
0x004056bc
0x004056bc
0x004056c1
0x004056cf
0x004056cf
0x004056d4
0x004056d7
0x004056dc
0x004056e8
0x004056f1
0x004056fe
0x0040570d
0x00405700
0x00405705
0x00405705
0x00405719
0x00405719
0x0040572d
0x00405736
0x0040573f
0x0040574f
0x0040575b
0x0040575b
0x00000000

APIs

GetDlgItem.USER32 ref: 00405616
GetDlgItem.USER32 ref: 00405625
GetClientRect.USER32 ref: 00405662
GetSystemMetrics.USER32 ref: 00405669
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040568A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040569B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004056AE
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004056BC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056CF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056F1
ShowWindow.USER32(?,00000008), ref: 00405705
GetDlgItem.USER32 ref: 00405726
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405736
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040574F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040575B
GetDlgItem.USER32 ref: 00405634

Part of subcall function 0040439C: SendMessageW.USER32(00000028,?,00000001,004041C7), ref: 004043AA

GetDlgItem.USER32 ref: 00405778
CreateThread.KERNEL32 ref: 00405786
CloseHandle.KERNEL32(00000000), ref: 0040578D
ShowWindow.USER32(00000000), ref: 004057B1
ShowWindow.USER32(?,00000008), ref: 004057B6
ShowWindow.USER32(00000008), ref: 00405800
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405834
CreatePopupMenu.USER32 ref: 00405845
AppendMenuW.USER32 ref: 00405859
GetWindowRect.USER32 ref: 00405879
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405892
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058CA
OpenClipboard.USER32(00000000), ref: 004058DA
EmptyClipboard.USER32 ref: 004058E0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058EC
GlobalLock.KERNEL32 ref: 004058F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040590A
GlobalUnlock.KERNEL32(00000000), ref: 0040592A
SetClipboardData.USER32 ref: 00405935
CloseClipboard.USER32 ref: 0040593B

Strings

{, xrefs: 0040581E

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 8f25bff0f06489f7a1a8ce70ca033e140048c00b36b59f282442a9f3d67c4887
Instruction ID: ef42e6e7ad26681d1de71b6013131fdd69d98400fc0f56e042e978cac442fd71
Opcode Fuzzy Hash: 8f25bff0f06489f7a1a8ce70ca033e140048c00b36b59f282442a9f3d67c4887
Instruction Fuzzy Hash: 45B138B1900608FFDB11AFA0DE85AAE7B79FB44355F00803AFA41B61A0CB755E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404858 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404858(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405A5B(0x3fb, _t146);
					E004066C0(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405A5B(0x3fb, _t146);
							if(E00405DEE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406411(0x42b238, _t146);
							_t87 = E00406806(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406411(0x42b238, _t146);
								_t89 = E00405D91(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405D32(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404CF5(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404CDD(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404C14(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404389(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004047B1();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404BAE;
							_v56 = _t146;
							_v68 = E0040644E(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405CE6(_t146);
								_t125 =  *((intOrPtr*)( *0x434f14 + 0x11c));
								if( *((intOrPtr*)( *0x434f14 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Roaming\\Shoved") {
									E0040644E(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405D5D(_t146) != 0 && E00405D91(_t146) == 0) {
						E00405CE6(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404367(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404367(_t167);
					E0040439C(_t166);
					_t138 = E00406806(8);
					if(_t138 == 0) {
						L53:
						return E004043CE(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404858
0x0040485e
0x00404864
0x00404871
0x0040487f
0x00404882
0x0040488a
0x00404890
0x00404890
0x0040489c
0x0040489f
0x0040490d
0x00404914
0x004049eb
0x004049f2
0x00404a01
0x00404a01
0x00404a05
0x00404a0f
0x00404a1c
0x00404a1e
0x00404a1e
0x00404a2c
0x00404a33
0x00404a3a
0x00404a3d
0x00404a79
0x00404a7b
0x00404a81
0x00404a86
0x00404a8a
0x00404a8c
0x00404a8c
0x00404aa8
0x00000000
0x00404aaa
0x00404aad
0x00404abb
0x00404ac1
0x00404ac2
0x00404ac5
0x00404ac8
0x00000000
0x00404ac8
0x00404a3f
0x00404a41
0x00404a45
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a47
0x00404a47
0x00404a54
0x00404a59
0x00000000
0x00000000
0x00404a5d
0x00404a5f
0x00404a5f
0x00404a68
0x00404a6a
0x00404a6f
0x00404a72
0x00404a77
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a77
0x00404ad4
0x00404ade
0x00404ae1
0x00404ae4
0x00404aeb
0x00404aeb
0x00404aed
0x00404aed
0x00404af2
0x00404af4
0x00404afc
0x00404b03
0x00404b05
0x00404b10
0x00404b10
0x00404b05
0x00404b20
0x00404b2a
0x00404b32
0x00404b4d
0x00404b34
0x00404b3d
0x00404b3d
0x00404b32
0x00404b52
0x00404b57
0x00404b5c
0x00404b65
0x00404b65
0x00404b6e
0x00404b70
0x00404b70
0x00404b7c
0x00404b84
0x00404b8e
0x00404b8e
0x00404b93
0x00000000
0x00404b93
0x00404a3d
0x004049f4
0x004049fb
0x00000000
0x00000000
0x00000000
0x004049fb
0x0040491a
0x00404923
0x0040493d
0x00404942
0x0040494c
0x00404953
0x0040495f
0x00404962
0x00404965
0x0040496c
0x00404974
0x00404977
0x0040497b
0x00404982
0x0040498a
0x004049e4
0x0040498c
0x0040498d
0x00404994
0x0040499e
0x004049a6
0x004049b3
0x004049c7
0x004049cb
0x004049cb
0x004049c7
0x004049d0
0x004049dd
0x004049dd
0x0040498a
0x00000000
0x00404942
0x00404930
0x00000000
0x00000000
0x00404936
0x00000000
0x004048a1
0x004048ae
0x004048b7
0x004048c4
0x004048c4
0x004048cb
0x004048d1
0x004048da
0x004048dd
0x004048e0
0x004048e8
0x004048eb
0x004048ee
0x004048f4
0x004048fb
0x00404902
0x00404b99
0x00404bab
0x00404908
0x0040490b
0x00000000
0x0040490b
0x00404902

APIs

GetDlgItem.USER32 ref: 004048A7
SetWindowTextW.USER32(00000000,?), ref: 004048D1
SHBrowseForFolderW.SHELL32(?), ref: 00404982
CoTaskMemFree.OLE32(00000000), ref: 0040498D
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 004049BF
lstrcatW.KERNEL32(?,Call), ref: 004049CB
SetDlgItemTextW.USER32 ref: 004049DD

Part of subcall function 00405A5B: GetDlgItemTextW.USER32(?,?,00000400,00404A14), ref: 00405A6E

Part of subcall function 004066C0: CharNextW.USER32(?,*?|<>/":,00000000,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
Part of subcall function 004066C0: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
Part of subcall function 004066C0: CharNextW.USER32(?,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
Part of subcall function 004066C0: CharPrevW.USER32(?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404AA0
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404ABB

Part of subcall function 00404C14: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CB5
Part of subcall function 00404C14: wsprintfW.USER32 ref: 00404CBE
Part of subcall function 00404C14: SetDlgItemTextW.USER32 ref: 00404CD1

Strings

C:\Users\user\AppData\Roaming\Shoved, xrefs: 004049A8
Call, xrefs: 004049B9, 004049BE, 004049C9
A, xrefs: 0040497B

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Shoved$Call
API String ID: 2624150263-2384274076
Opcode ID: 853e4702587f22a3b0095dfd1c3f762452952fa67d6f0456fc7ffaafa7f78d96
Instruction ID: 0d1333b798dde08b2b35772059431d035751c92a28532a026af6b574b599a32b
Opcode Fuzzy Hash: 853e4702587f22a3b0095dfd1c3f762452952fa67d6f0456fc7ffaafa7f78d96
Instruction Fuzzy Hash: 56A15EF1A00209ABDB11AFA5CD45AAFB7B8EF84314F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021A2(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402D3E(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402D3E(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402D3E(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402D3E(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405D5D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402D3E(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\jones\\AppData\\Roaming\\Shoved\\Factorist");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021ab
0x004021b5
0x004021bf
0x004021c9
0x004021d4
0x004021d7
0x004021f1
0x004021f4
0x004021fa
0x004021fd
0x00402207
0x0040220b
0x0040220b
0x00402210
0x00402221
0x00402229
0x004022e0
0x004022e0
0x004022e7
0x0040222f
0x0040222f
0x0040223e
0x00402242
0x00402245
0x0040224b
0x00402259
0x0040225c
0x0040225e
0x00402269
0x00402269
0x0040226e
0x00402270
0x00402277
0x00402277
0x0040227a
0x00402283
0x00402286
0x0040228c
0x0040228e
0x00402298
0x00402298
0x0040229b
0x004022a4
0x004022a7
0x004022b0
0x004022b6
0x004022b8
0x004022c6
0x004022c6
0x004022c9
0x004022cf
0x004022cf
0x004022d2
0x004022d8
0x004022de
0x004022f3
0x00000000
0x00000000
0x00000000
0x004022de
0x004022e9
0x00402bc5
0x00402bd1

APIs

CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Users\user\AppData\Roaming\Shoved\Factorist, xrefs: 00402261

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Shoved\Factorist
API String ID: 542301482-196838919
Opcode ID: 9d479c7c72b9213c6dfc702f82f35e79a053754e3cc1bdd00607558639033416
Instruction ID: 552a380bc1a798379165a166047c46cc7e7689cdd056a509842d4882e8d45c12
Opcode Fuzzy Hash: 9d479c7c72b9213c6dfc702f82f35e79a053754e3cc1bdd00607558639033416
Instruction Fuzzy Hash: 33410875A00208AFCF00DFE4C989A9E7BB6FF48314B20457AF515EB2D1DB799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402902(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402D3E(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406358( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406411();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402935
0x00402940
0x00402941
0x00402a7b
0x0040291c
0x0040291f
0x00402922
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f1f75f85ad8f91268d35bee39362f1624f539314e89723e4461874efd2ba877a
Instruction ID: 56039e75b3af19f60320d449630e93dfdbb15a7187211f692f50db0849c99601
Opcode Fuzzy Hash: f1f75f85ad8f91268d35bee39362f1624f539314e89723e4461874efd2ba877a
Instruction Fuzzy Hash: C8F08C71A04114AEC700DFA4DD499AEB378EF10328F70457BE511F31E0D7B89E119B29

Uniqueness

Uniqueness Score: -1.00%

Function 00406C81 Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E00406C81(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004073F0( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407458( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004073B0))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407458(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E00407458(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405EC2( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407458( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407458(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004073F0( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c81
0x00406c85
0x00000000
0x00000000
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c91
0x00406c96
0x00406c98
0x00406c9b
0x00406c9e
0x00406ca1
0x00406ca1
0x00406ca4
0x00000000
0x00000000
0x00406ca6
0x00406ca6
0x00406ca9
0x00406cae
0x00406cb0
0x00406cb3
0x00406cb9
0x00406a18
0x00406a18
0x00406a1b
0x00406a21
0x00406a27
0x00406a30
0x00406a36
0x00406a39
0x00406a40
0x00406a45
0x00406a4b
0x00406a56
0x00406a56
0x00406cbf
0x00406cbf
0x00406cc9
0x00000000
0x00000000
0x00406ccf
0x00406ccf
0x00406cd3
0x00406cd6
0x00406cd6
0x00406cda
0x00406ce0
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00406cee
0x00406d10
0x00406d10
0x00406d13
0x00000000
0x00000000
0x00406cf0
0x00406cf4
0x00000000
0x00000000
0x00406cfa
0x00406cfa
0x00406cfd
0x00406d00
0x00406d05
0x00406d07
0x00406d0a
0x00406d0d
0x00406d0d
0x00406d15
0x00406d15
0x00406d1b
0x00406d1e
0x00406d21
0x00406d21
0x00406d28
0x00406d2c
0x00406d30
0x00406d33
0x00406d36
0x00406d3c
0x00406d41
0x00000000
0x00000000
0x00406d43
0x00406d57
0x00406d57
0x00406d5b
0x00000000
0x00000000
0x00406d45
0x00406d48
0x00406d48
0x00406d4f
0x00406d54
0x00406d54
0x00406d54
0x00406d5d
0x00406d5d
0x00406d60
0x00406d6e
0x00406d74
0x00406d79
0x00406d7f
0x00406d85
0x00406d8b
0x00406d92
0x00406da6
0x00406da6
0x00407375
0x00407375
0x00407375
0x0040737a
0x00000000
0x00000000
0x004069b2
0x004069b2
0x00000000
0x00406fad
0x00406fad
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00000000
0x00000000
0x00406fc0
0x00406fc0
0x00406fe5
0x00406fe5
0x00406fe5
0x00406fe7
0x00000000
0x00000000
0x00406fc5
0x00406fc5
0x00406fc9
0x00000000
0x00000000
0x00406fcf
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fd8
0x00406fda
0x00406fdc
0x00406fdf
0x00406fe2
0x00406fe2
0x00406fe2
0x00406fe9
0x00406fe9
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffa
0x00406ffe
0x00407001
0x00407003
0x00407006
0x00407008
0x0040701c
0x0040701c
0x0040701f
0x00407039
0x00407039
0x0040703c
0x00000000
0x00000000
0x00407042
0x00407042
0x00407045
0x00000000
0x00000000
0x0040704b
0x0040704b
0x00000000
0x0040704b
0x00407021
0x00407024
0x0040702b
0x0040702e
0x00000000
0x0040702e
0x0040700a
0x0040700e
0x00407011
0x00000000
0x00000000
0x00407056
0x00407056
0x0040707b
0x0040707b
0x0040707b
0x0040707d
0x00000000
0x00000000
0x0040705b
0x0040705b
0x0040705f
0x00000000
0x00000000
0x00407065
0x00407065
0x00407068
0x0040706b
0x0040706e
0x00407070
0x00407072
0x00407075
0x00407078
0x00407078
0x00407078
0x0040707f
0x00407087
0x0040708a
0x0040708d
0x0040708f
0x00407092
0x00407092
0x00407094
0x00407098
0x0040709b
0x0040709e
0x004070a1
0x00000000
0x00000000
0x004070a7
0x004070a7
0x004070cc
0x004070cc
0x004070cc
0x004070ce
0x00000000
0x00000000
0x004070ac
0x004070ac
0x004070b0
0x00000000
0x00000000
0x004070b6
0x004070b6
0x004070b9
0x004070bc
0x004070bf
0x004070c1
0x004070c3
0x004070c6
0x004070c9
0x004070c9
0x004070c9
0x004070d0
0x004070d0
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e5
0x004070e8
0x004070ea
0x004070ed
0x004070f0
0x0040710a
0x0040710a
0x0040710d
0x00000000
0x00000000
0x00407113
0x00407113
0x00407116
0x0040711d
0x00000000
0x0040711d
0x004070f2
0x004070f5
0x004070fc
0x004070ff
0x00000000
0x00000000
0x00407125
0x00407125
0x0040714a
0x0040714a
0x0040714a
0x0040714c
0x00000000
0x00000000
0x0040712a
0x0040712a
0x0040712e
0x00000000
0x00000000
0x00407134
0x00407134
0x00407137
0x0040713a
0x0040713d
0x0040713f
0x00407141
0x00407144
0x00407147
0x00407147
0x00407147
0x0040714e
0x00407156
0x00407159
0x0040715c
0x0040715e
0x00407161
0x00407161
0x00407163
0x00000000
0x00000000
0x00407169
0x00407169
0x0040716c
0x00407171
0x00407173
0x00407179
0x0040717b
0x00407190
0x00407192
0x00407192
0x0040717d
0x00407183
0x00407185
0x00407187
0x00407187
0x00407194
0x00407198
0x0040719b
0x004071a1
0x004071a1
0x004071a4
0x004071a4
0x004071a4
0x004071a6
0x00000000
0x00000000
0x004071ac
0x004071ac
0x004071b2
0x004071b4
0x004071d9
0x004071dc
0x004071e2
0x004071e7
0x004071ed
0x004071f3
0x004071f5
0x004071f8
0x00407201
0x00407207
0x00407207
0x004071fa
0x004071fc
0x004071fe
0x004071fe
0x00407209
0x0040720f
0x00407211
0x00407214
0x00407216
0x0040721c
0x0040721e
0x00407220
0x00407222
0x00407224
0x00407227
0x00407230
0x00407233
0x00407233
0x00407229
0x00407229
0x0040722c
0x0040722c
0x00407227
0x0040721e
0x00407235
0x00407237
0x00000000
0x00000000
0x00000000
0x00000000
0x00407237
0x004071b6
0x004071b6
0x004071bc
0x004071c2
0x004071c4
0x00000000
0x00000000
0x004071c6
0x004071c6
0x004071c8
0x004071ca
0x004071d3
0x004071d3
0x004071cc
0x004071cc
0x004071cf
0x004071cf
0x004071d5
0x004071d7
0x00000000
0x00000000
0x0040723d
0x0040723d
0x00407242
0x00407244
0x00407245
0x00407246
0x00407247
0x0040724d
0x00407250
0x00407253
0x00407256
0x00407258
0x0040725e
0x0040725e
0x00407261
0x00407261
0x00407261
0x00407261
0x0040726a
0x00000000
0x00000000
0x0040726f
0x0040726f
0x00407272
0x00407275
0x00407277
0x0040730e
0x0040730e
0x00407311
0x00407313
0x00407314
0x00407315
0x00407318
0x00000000
0x00407318
0x0040727d
0x0040727d
0x00407283
0x00407285
0x004072aa
0x004072ad
0x004072b3
0x004072b8
0x004072be
0x004072c4
0x004072c6
0x004072c9
0x004072d2
0x004072d8
0x004072d8
0x004072cb
0x004072cd
0x004072cf
0x004072cf
0x004072da
0x004072e0
0x004072e2
0x004072e5
0x004072e7
0x004072ed
0x004072ef
0x004072f1
0x004072f3
0x004072f5
0x004072f8
0x00407301
0x00407304
0x00407304
0x004072fa
0x004072fa
0x004072fd
0x004072fd
0x004072f8
0x004072ef
0x00407306
0x00407308
0x00000000
0x00000000
0x00000000
0x00000000
0x00407308
0x00407287
0x00407287
0x0040728d
0x00407293
0x00407295
0x00000000
0x00000000
0x00407297
0x00407297
0x00407299
0x0040729b
0x004072a2
0x004072a2
0x004072a4
0x0040729d
0x0040729d
0x0040729f
0x0040729f
0x004072a6
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407320
0x00407320
0x00407323
0x00407325
0x00407328
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x00000000
0x00000000
0x00000000
0x004069d9
0x004069bd
0x00000000
0x004069c3
0x004069c6
0x004069d0
0x004069d3
0x004069d6
0x00000000
0x004069d6
0x004069bd
0x004069e1
0x004069e4
0x004069e8
0x004069f2
0x004069fc
0x004069ff
0x00406a05
0x00406b39
0x00406b3b
0x00406b41
0x00406b44
0x00406b47
0x00000000
0x00406b47
0x00406a0b
0x00406a0b
0x00406a0c
0x00406a64
0x00406a64
0x00406a6b
0x00406b11
0x00406b11
0x00406b16
0x00406b19
0x00406b1e
0x00406b21
0x00406b26
0x00406b29
0x00406b2e
0x00406b31
0x00406b31
0x00000000
0x00406a71
0x00406a71
0x00406a71
0x00406a71
0x00406a75
0x00406a75
0x00406a97
0x00406a9a
0x00406a9c
0x00406a9f
0x00406aa4
0x00406a7a
0x00406a7a
0x00406a7f
0x00406a81
0x00406a83
0x00406a88
0x00406a8e
0x00406a93
0x00406a95
0x00406a95
0x00406a8a
0x00406a8a
0x00406a8a
0x00406a88
0x00000000
0x00406aa6
0x00406ad3
0x00406ad8
0x00406ada
0x00406adb
0x00406add
0x00406ade
0x00406ade
0x00406ade
0x00406b06
0x00406b0b
0x00406b0b
0x00000000
0x00406b0b
0x00406aa4
0x00406a6b
0x00406a0e
0x00406a0e
0x00406a0f
0x00406a59
0x00000000
0x00406a59
0x00406a11
0x00406a12
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b6e
0x00406b6e
0x00406b6e
0x00406b71
0x00000000
0x00000000
0x00406b4e
0x00406b4e
0x00406b52
0x00000000
0x00000000
0x00406b58
0x00406b58
0x00406b5b
0x00406b5e
0x00406b63
0x00406b65
0x00406b68
0x00406b6b
0x00406b6b
0x00406b6b
0x00406b73
0x00406b73
0x00406b76
0x00406b78
0x00406b7d
0x00406b80
0x00406b82
0x00406b85
0x00000000
0x00000000
0x00406b8b
0x00406b8b
0x00406b8d
0x00000000
0x00000000
0x00406b93
0x00406b93
0x00406b97
0x00000000
0x00000000
0x00406b9d
0x00406b9d
0x00406ba0
0x00406ba2
0x00406c40
0x00406c40
0x00406c43
0x00406c45
0x00406c45
0x00406c48
0x00406c4b
0x00406c4d
0x00406c4f
0x00406c51
0x00406c51
0x00406c5a
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00406c74
0x00406c74
0x00406c7a
0x00406c7a
0x00406c7a
0x00000000
0x00406c6e
0x00406ba8
0x00406ba8
0x00406bae
0x00406bb1
0x00406bb3
0x00406bde
0x00406be1
0x00406be7
0x00406bec
0x00406bf2
0x00406bf8
0x00406bfa
0x00406bfd
0x00406c06
0x00406c0c
0x00406c0c
0x00406bff
0x00406c01
0x00406c03
0x00406c03
0x00406c0e
0x00406c14
0x00406c17
0x00406c19
0x00406c1b
0x00406c21
0x00406c23
0x00406c25
0x00406c28
0x00406c31
0x00406c31
0x00406c33
0x00406c2a
0x00406c2a
0x00406c2d
0x00406c2d
0x00406c35
0x00406c35
0x00406c23
0x00406c38
0x00406c3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c3a
0x00406bb5
0x00406bb5
0x00406bbb
0x00406bc1
0x00406bc3
0x00000000
0x00000000
0x00406bc5
0x00406bc5
0x00406bc7
0x00406bc9
0x00406bcc
0x00406bd3
0x00406bd3
0x00406bd5
0x00406bce
0x00406bce
0x00406bd0
0x00406bd0
0x00406bd7
0x00406bd9
0x00406bdc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce0
0x00406ce3
0x00406ce6
0x00406cec
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ec3
0x00406ec3
0x00406ec3
0x00406ec6
0x00406ec9
0x00406ecb
0x00406ece
0x00406ed4
0x00406edb
0x00406edd
0x00000000
0x00000000
0x00406db1
0x00406db1
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddb
0x00000000
0x00000000
0x00406db9
0x00406db9
0x00406dbd
0x00000000
0x00000000
0x00406dc3
0x00406dc3
0x00406dc6
0x00406dc9
0x00406dcc
0x00406dce
0x00406dd0
0x00406dd3
0x00406dd6
0x00406dd6
0x00406dd6
0x00406ddd
0x00406ddd
0x00406de5
0x00406de8
0x00406dee
0x00406df1
0x00406df5
0x00406df9
0x00406dfc
0x00406dff
0x00406e17
0x00406e17
0x00406e1a
0x00406e28
0x00406e2b
0x00406e1c
0x00406e1c
0x00406e1e
0x00406e25
0x00406e25
0x00406e54
0x00406e54
0x00406e54
0x00406e57
0x00406e59
0x00000000
0x00000000
0x00406e34
0x00406e34
0x00406e38
0x00000000
0x00000000
0x00406e3e
0x00406e3e
0x00406e41
0x00406e44
0x00406e47
0x00406e49
0x00406e4b
0x00406e4e
0x00406e51
0x00406e51
0x00406e51
0x00406e5b
0x00406e5b
0x00406e5d
0x00406e5f
0x00406e6a
0x00406e6d
0x00406e70
0x00406e72
0x00406e74
0x00406e76
0x00406e79
0x00406e7c
0x00406e81
0x00406e84
0x00406e87
0x00406e8a
0x00406e91
0x00406e94
0x00406e96
0x00000000
0x00000000
0x00406e9c
0x00406e9c
0x00406ea0
0x00406eb1
0x00406eb1
0x00406eb1
0x00406eb3
0x00406eb3
0x00406eb7
0x00406eb7
0x00406eb7
0x00406eb9
0x00406eba
0x00406ebd
0x00406ebd
0x00406ebd
0x00406ec0
0x00000000
0x00406ec0
0x00406ea2
0x00406ea2
0x00406ea5
0x00000000
0x00000000
0x00406eab
0x00406eab
0x00000000
0x00406eab
0x00406e01
0x00406e01
0x00406e03
0x00406e05
0x00406e08
0x00406e0b
0x00406e0f
0x00406e0f
0x00406ee3
0x00406ee3
0x00406ee6
0x00406eed
0x00406ef1
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efe
0x00406f01
0x00406f03
0x00406f04
0x00406f07
0x00406f12
0x00406f15
0x00406f2c
0x00406f31
0x00406f38
0x00406f3d
0x00406f41
0x00406f43
0x00406f43
0x00406f43
0x00406f46
0x00406f48
0x00000000
0x00406f4e
0x00406f4e
0x00406f52
0x00406f5d
0x00406f70
0x00406f75
0x00406f7a
0x00406f7c
0x00000000
0x00000000
0x00406f82
0x00406f82
0x00406f85
0x00406f87
0x00406f95
0x00406f95
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa7
0x00406faa
0x00000000
0x00406faa
0x00406f89
0x00406f89
0x00406f8f
0x00000000
0x00000000
0x00000000
0x00406f8f
0x00000000
0x00000000
0x00000000
0x0040732e
0x0040732e
0x00407334
0x0040733a
0x0040733f
0x00407345
0x0040734b
0x0040734d
0x00407350
0x00407359
0x0040735f
0x0040735f
0x00407352
0x00407354
0x00407356
0x00407356
0x00407361
0x00407363
0x00407366
0x004073a1
0x004073a1
0x00000000
0x00407368
0x00407368
0x00407368
0x0040736e
0x00407371
0x00407373
0x004073a8
0x004073aa
0x00000000
0x004073aa
0x00000000
0x00407373
0x00000000
0x004069b2
0x00407380
0x00000000
0x00407380
0x00406d94
0x00406d96
0x00000000
0x00000000
0x00406d98
0x00406d98
0x00406d9b
0x00000000
0x00406d9b
0x00406ce0
0x00406ca1
0x00407385
0x00407388
0x0040738a
0x00407393
0x00407399
0x00000000

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction ID: 1f017aaef81dd0f0ed7cb9892c5a428a4034ef251f890bfd5ca3fce11066bb94
Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
Instruction Fuzzy Hash: 8FE1AA71A04709DFDB24CF58C880BAEB7F5EB45305F15842EE896AB2D1D738AA91CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00407458 Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00407458(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x00407463
0x0040746b
0x0040746f
0x00407471
0x00407474
0x00407476
0x00407476
0x00407478
0x0040747f
0x00407481
0x00407481
0x00407487
0x0040749c
0x004074a4
0x004074a6
0x004074a8
0x004074ab
0x004074ac
0x004074ac
0x004074b2
0x00000000
0x00000000
0x004074b4
0x004074b7
0x00000000
0x00000000
0x00000000
0x004074b7
0x004074bb
0x004074be
0x004074c0
0x004074c0
0x004074c3
0x004074c9
0x004074ca
0x00000000
0x00000000
0x00000000
0x004074ca
0x004074cf
0x004074d2
0x004074d4
0x004074d4
0x004074da
0x004074dc
0x004074ed
0x004074e0
0x004074e4
0x00407789
0x00000000
0x00407789
0x004074ea
0x004074eb
0x004074eb
0x004074f3
0x004074f6
0x004074fa
0x004074fc
0x004074fe
0x00407501
0x00000000
0x00000000
0x00407509
0x0040750f
0x00407511
0x00407513
0x00407514
0x00407529
0x00407529
0x0040752c
0x0040752e
0x0040752e
0x00407530
0x00407535
0x00407537
0x0040753e
0x00407540
0x00407548
0x00407548
0x0040754a
0x0040754b
0x0040755a
0x0040755e
0x00407562
0x00407565
0x00407568
0x0040756d
0x00407570
0x00407576
0x0040757d
0x00407583
0x0040777c
0x0040777c
0x00407781
0x00407790
0x00000000
0x00000000
0x00000000
0x00407781
0x00407590
0x00407593
0x00407596
0x00407599
0x0040759d
0x00000000
0x00000000
0x004075a8
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x004075bd
0x004075be
0x004075c1
0x004075c4
0x004075c7
0x004075cd
0x004075cf
0x004075cf
0x004075d7
0x004075db
0x004075e0
0x00407605
0x0040760b
0x0040760d
0x0040760f
0x00407612
0x0040761b
0x00000000
0x00000000
0x004075e2
0x004075e2
0x004075eb
0x004075ef
0x00000000
0x00000000
0x00407600
0x00407600
0x00407603
0x00000000
0x00000000
0x004075f3
0x004075f6
0x004075f8
0x004075fc
0x00000000
0x00000000
0x004075fe
0x004075fe
0x00000000
0x00407600
0x00407624
0x0040762a
0x00407634
0x00407636
0x0040763b
0x0040763d
0x00407673
0x0040763f
0x0040763f
0x00407642
0x00407645
0x0040764f
0x00407652
0x00407659
0x00407664
0x0040766b
0x0040766b
0x00407675
0x00407678
0x0040767a
0x00407680
0x00407680
0x00407689
0x0040768c
0x00407691
0x004076a0
0x004076a8
0x004076ad
0x004076d1
0x004076d9
0x004076dd
0x004076e3
0x004076af
0x004076bd
0x004076c0
0x004076c6
0x004076c6
0x004076e7
0x004076a2
0x004076a2
0x004076a2
0x004076f8
0x004076fc
0x00407708
0x00407703
0x00407706
0x00407706
0x00407710
0x00407715
0x0040771d
0x00407719
0x0040771b
0x0040771b
0x00407723
0x00407725
0x0040772c
0x00407736
0x00407740
0x0040775c
0x00407760
0x004075a5
0x004075ab
0x004075ac
0x004075ae
0x004075b4
0x004075b7
0x00000000
0x00000000
0x00000000
0x004075b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00407742
0x00407742
0x00407742
0x00407747
0x00407750
0x00407759
0x00000000
0x00407759
0x00407766
0x00407766
0x00407769
0x00407770
0x00407773
0x00000000
0x00407596
0x00407516
0x00407518
0x00407518
0x0040751c
0x0040751f
0x00407520
0x00407520
0x00000000
0x00407518
0x0040748c
0x00407492
0x00000000

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4c948e8094d30857df7bb037d19ad889c7f26ef399dade94ff28b4422ea0219f
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: A4C15931E042199BCF14CF68D8905EEBBB2BF88354F25866AD85677380D738B942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404526 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404526(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004043CE(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004047D5(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c240 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404389(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004047B1();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f58 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004044D7;
				if(_t110 != 2) {
					_v8 = E0040449D;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404367(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404367(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404389( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040439C(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f14 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}

0x00404538
0x00404665
0x004046c2
0x004046c6
0x00404793
0x00404795
0x00404795
0x0040479b
0x0040479b
0x0040479e
0x00000000
0x004047a5
0x004046d4
0x004046da
0x004046e4
0x004046ef
0x004046f2
0x004046f5
0x00404700
0x00404703
0x0040470a
0x00404717
0x00404728
0x0040472e
0x00404736
0x00404744
0x0040474a
0x0040474a
0x0040470a
0x00404754
0x00000000
0x0040475f
0x00404763
0x00404773
0x00404773
0x00404779
0x00404785
0x00404785
0x00000000
0x00404789
0x00404754
0x00404670
0x00000000
0x00404682
0x00404687
0x0040468d
0x00000000
0x00000000
0x004046b6
0x004046b8
0x004046bd
0x00000000
0x004046bd
0x00404670
0x0040453e
0x00404541
0x00404546
0x00404557
0x00404557
0x0040455f
0x00404562
0x00404566
0x00404569
0x0040456d
0x00404570
0x00404573
0x00404576
0x0040457d
0x0040457f
0x0040457f
0x00404589
0x00404596
0x004045a0
0x004045a5
0x004045a8
0x004045ad
0x004045c4
0x004045cb
0x004045de
0x004045e1
0x004045f5
0x004045fc
0x00404601
0x00404606
0x00404606
0x00404614
0x00404622
0x00404634
0x00404639
0x00404649
0x0040464b
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045C4
GetDlgItem.USER32 ref: 004045D8
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045F5
GetSysColor.USER32(?), ref: 00404606
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404614
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404622
lstrlenW.KERNEL32(?), ref: 00404627
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404634
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404649
GetDlgItem.USER32 ref: 004046A2
SendMessageW.USER32(00000000), ref: 004046A9
GetDlgItem.USER32 ref: 004046D4
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404717
LoadCursorW.USER32(00000000,00007F02), ref: 00404725
SetCursor.USER32(00000000), ref: 00404728
LoadCursorW.USER32(00000000,00007F00), ref: 00404741
SetCursor.USER32(00000000), ref: 00404744
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404773
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404785

Strings

Call, xrefs: 00404703
N, xrefs: 004046C2

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction ID: bc177dfd6b6b6103f733ab6784bbaef7ca361af311f51bfa08924dfc74b84e38
Opcode Fuzzy Hash: 3e7f1d81aaa2c81caad56aadef940d4d94f2f382e64dbbb27fd2036abddb4608
Instruction Fuzzy Hash: 79618EB1A00209FFDB109F60DD85AAA7B69FB85314F00843AFA15B72D1D778AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f14;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction ID: eaab19ccb9cda740c31967da28403833e1322962c0e6ee158e4036cb66a51054
Opcode Fuzzy Hash: b27a2b551f63a02a5ae57bcc50d46a19120317da1eaca0d31fe5953092f3d4ab
Instruction Fuzzy Hash: ED418B71800209AFCF058FA5CE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040605D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040605D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040644E(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f14 + 0x128)));
						_t12 = E00405F07(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405F8A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405E6C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405E6C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405EC2(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405FB9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405F07(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040605d
0x00406066
0x0040606d
0x00406077
0x0040608b
0x004060b3
0x004060be
0x004060c2
0x004060e2
0x004060e9
0x004060f3
0x00406100
0x00406105
0x0040610a
0x0040610e
0x0040611d
0x0040611f
0x0040612c
0x00406130
0x004061cb
0x00000000
0x00406146
0x00406153
0x00406177
0x0040617b
0x0040619a
0x0040619e
0x0040619e
0x004061a0
0x004061a9
0x004061b4
0x004061bf
0x004061c5
0x00000000
0x004061c5
0x0040617d
0x00406180
0x0040618b
0x00406187
0x00406189
0x0040618a
0x0040618a
0x00406192
0x00406194
0x00000000
0x00406194
0x0040615e
0x00406164
0x00000000
0x00406164
0x00406130
0x0040610e
0x0040608d
0x00406098
0x004060a1
0x004060a5
0x00000000
0x00000000
0x004060a5
0x004061d6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061F8,?,?), ref: 00406098
GetShortPathNameW.KERNEL32 ref: 004060A1

Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
Part of subcall function 00405E6C: lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

GetShortPathNameW.KERNEL32 ref: 004060BE
wsprintfA.USER32 ref: 004060DC
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00406117
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406126
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040615E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004061B4
GlobalFree.KERNEL32 ref: 004061C5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061CC

Part of subcall function 00405F07: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405F0B
Part of subcall function 00405F07: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F2D

Strings

%ls=%ls, xrefs: 004060D2
[Rename], xrefs: 00406146, 00406158

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 9b519c14120aa80628a1efb59fa06e72263f7c501841ac8fb024acedf13bc814
Instruction ID: d46549913b6b20842cf1787bef5cc60fb31ae9cbf3b8bb231415db86ef2d3bba
Opcode Fuzzy Hash: 9b519c14120aa80628a1efb59fa06e72263f7c501841ac8fb024acedf13bc814
Instruction Fuzzy Hash: 9D3135712017157BD2206B218D48F6B3A5CDF45754F15003AFE82FA2C3DA3CE9218ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004066C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004066C0(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405D5D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405D13(L"*?|<>/\":", _t5))) == 0) {
							E00405EC2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004066c2
0x004066cb
0x004066e2
0x004066e2
0x004066e9
0x004066f5
0x004066f5
0x004066f8
0x004066fb
0x00406700
0x00406702
0x0040670b
0x0040670f
0x0040672c
0x00406734
0x00406734
0x00406739
0x0040673b
0x0040673e
0x00406743
0x00406744
0x00406748
0x00406748
0x00406749
0x00406750
0x00406752
0x00406759
0x00000000
0x00000000
0x00406761
0x00406767
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676c

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406723
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406732
CharNextW.USER32(?,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00406737
CharPrevW.USER32(?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe",004034A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 0040674A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004066C1
*?|<>/":, xrefs: 00406712
"C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe", xrefs: 004066C0

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2427882228
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 9627fccf098e727a5900f08bdddf05a21b4f43d755832024a56349c67539c63f
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: F2110D1580061295DB303B548C84A7B62F8EF5879CF52843FED96732C0E77D8C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 004043CE Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004043CE(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004043e0
0x00404496
0x00000000
0x00404496
0x004043f1
0x004043f5
0x00000000
0x0040440f
0x0040440f
0x00404418
0x00000000
0x00000000
0x0040441a
0x00404426
0x00404429
0x00404429
0x0040442f
0x00404435
0x00404435
0x00404441
0x00404447
0x0040444e
0x00404451
0x00404454
0x00404456
0x00404456
0x0040445e
0x00404464
0x00404464
0x0040446e
0x00404473
0x00404476
0x0040447b
0x0040447e
0x0040447e
0x0040448e
0x0040448e
0x00000000
0x00404491

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043EB
GetSysColor.USER32(00000000), ref: 00404429
SetTextColor.GDI32(?,00000000), ref: 00404435
SetBkMode.GDI32(?,?), ref: 00404441
GetSysColor.USER32(?), ref: 00404454
SetBkColor.GDI32(?,?), ref: 00404464
DeleteObject.GDI32(?), ref: 0040447E
CreateBrushIndirect.GDI32(?), ref: 00404488

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: dd0feedb065fecc26b382c70af4fe1a3d395924493241b124500faa7aa9dc668
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: 7C2174B15007059BCB30DF78DA08B5BBBF8AF81714B05892EE992B26E1D734E904DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026E4(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D1C(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434fa8 =  *0x434fa8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406371(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00405FE8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E00405F8A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406358( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026e4
0x004026e6
0x004026e9
0x004026eb
0x004026ee
0x004026f3
0x004026f7
0x004026fa
0x004026fd
0x00402bc2
0x00402bc5
0x00402703
0x00402703
0x0040270a
0x0040270c
0x0040270c
0x00402712
0x00402876
0x00402876
0x00402879
0x0040287e
0x004015b6
0x00402925
0x00402925
0x00000000
0x00402718
0x00402719
0x00402724
0x00402727
0x00402733
0x00402737
0x004027cf
0x004027e7
0x004027f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040273d
0x0040273d
0x00402740
0x00402741
0x00402744
0x00402749
0x00402750
0x00402758
0x00000000
0x0040275e
0x0040275e
0x00402763
0x00000000
0x00402769
0x00402769
0x00402771
0x00402774
0x00402777
0x00402832
0x00402839
0x0040277d
0x00402783
0x0040278f
0x004027f9
0x004027f9
0x00402791
0x00402791
0x00402794
0x00402796
0x00402796
0x00402796
0x00402799
0x0040279e
0x004027a1
0x00000000
0x00000000
0x004027a3
0x004027a6
0x004027b4
0x004027ba
0x004027c8
0x00000000
0x004027ca
0x00000000
0x004027ca
0x00000000
0x004027c8
0x00402796
0x004027fc
0x004027ff
0x00000000
0x00402801
0x00402806
0x00402847
0x00402869
0x00402870
0x00402855
0x00402855
0x00402858
0x0040285b
0x0040285e
0x0040285e
0x00000000
0x0040280f
0x0040280f
0x00402812
0x00402815
0x0040281b
0x0040281f
0x00402822
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402806
0x004027ff
0x00402777
0x00402763
0x00402758
0x00000000
0x00402824
0x00402824
0x00402827
0x00402830
0x00000000
0x00402727
0x00402712
0x00402bcb
0x00402bd1

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00405FE8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FFE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction ID: fc85df120a24998764995467ff6edc9a451c04e372c05a6abf1f77cf4653f2d7
Opcode Fuzzy Hash: 939078a54e4475671e6551d3fd19772fabc7f31a6bf9158e4a480f344115c940
Instruction Fuzzy Hash: 5C51F975D00219ABDF20DF95CA89AAEBB79FF04344F10817BE501B62D0E7B49D828B58

Uniqueness

Uniqueness Score: -1.00%

Function 00405479 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405479(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fd4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040644E(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040547f
0x00405489
0x0040548e
0x00405494
0x0040549f
0x004054a2
0x004054a5
0x004054ab
0x004054ab
0x004054b1
0x004054b9
0x004054bc
0x004054d9
0x004054dd
0x004054e6
0x004054e6
0x004054f0
0x004054f9
0x00405505
0x0040550c
0x00405510
0x00405513
0x00405526
0x00405534
0x00405534
0x00405538
0x0040553a
0x0040553d
0x00000000
0x0040553d
0x004054be
0x004054c6
0x004054ce
0x004054d4
0x00000000
0x004054d4
0x004054ce
0x004054bc
0x00405549

APIs

lstrlenW.KERNEL32(0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000,?), ref: 004054B1
lstrlenW.KERNEL32(004033B0,0042C248,00000000,00425A20,7476EA30,?,?,?,?,?,?,?,?,?,004033B0,00000000), ref: 004054C1
lstrcatW.KERNEL32(0042C248,004033B0), ref: 004054D4
SetWindowTextW.USER32(0042C248,0042C248), ref: 004054E6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040550C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405526
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405534

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 595c87a6c684e3cc3ecfa7d9121cf0e7c522785301409aa9d6fada1dea414851
Instruction ID: 1ccddca99fa11d5427df38f31253403cabd393798f33362a1a37d4b4032a7ea7
Opcode Fuzzy Hash: 595c87a6c684e3cc3ecfa7d9121cf0e7c522785301409aa9d6fada1dea414851
Instruction Fuzzy Hash: 42219A71900518BBCB219F95DD85ACFBFB9EF45354F10803AF904B22A0C7798A908FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404D22 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D22(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404d30
0x00404d3d
0x00404d43
0x00404d81
0x00404d81
0x00404d90
0x00404d97
0x00000000
0x00404d99
0x00404d45
0x00404d54
0x00404d5c
0x00404d5f
0x00404d71
0x00404d77
0x00404d7e
0x00000000
0x00404d7e
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D3D
GetMessagePos.USER32 ref: 00404D45
ScreenToClient.USER32 ref: 00404D5F
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D71
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D97

Strings

f, xrefs: 00404D73

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 7205eec21020573454be23e67ac2b5f41aa1c09cc3aa20a5ad054807a565c042
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 63014C71900219BADB00DBA4DD85BFEBBBCAF54B11F10012BBA50F61C0D7B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D1C(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D1C(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040644E(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406358();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402630
0x0040156d
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: ff5e119c1dfec186f1bc31a23d162186e9d3ca2dfc2df7b145d176ccd9f6b251
Instruction ID: 39ccdc2dc8d2035913c0323839c6798354fd507b9908b2fcb43e3dcb67b0f82d
Opcode Fuzzy Hash: ff5e119c1dfec186f1bc31a23d162186e9d3ca2dfc2df7b145d176ccd9f6b251
Instruction Fuzzy Hash: C6019271904240EFE7005BB0EE4AB9A3FB4BB15300F208A3AF141B75E2C6B904458BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F2B(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x37c9e
					_t11 =  *0x42aa24;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402f3b
0x00402f49
0x00402f4f
0x00402f4f
0x00402f5d
0x00402f5f
0x00402f65
0x00402f6c
0x00402f6e
0x00402f6e
0x00402f84
0x00402f94
0x00402fa6
0x00402fa6
0x00402fae

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(00037C9E,00000064,?), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32 ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction ID: 5483d255828af9cef8fcdd630f22e0c0956a10275527037d70a62c30cec8c61f
Opcode Fuzzy Hash: 5b1bc627dd36a5102c32c12b14091c8dec43231046f13c1edcd0296a8f8e997f
Instruction Fuzzy Hash: 29014471640209BBEF209F60DE49FEA3B79FB04344F008039FA06A51D0DBB995559F58

Uniqueness

Uniqueness Score: -1.00%

Function 739A25B5 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E739A25B5() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E739A121B();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M739A26E4))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x739a407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x739a409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E739A1470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x739a506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x739a506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x739a506c);
								goto L17;
							case 5:
								_push( *0x739a506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x739a5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E739A12E1(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E739A1272(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x739a25bf
0x739a25c1
0x739a25c5
0x739a25d4
0x739a25d8
0x739a25dd
0x739a25dd
0x739a25e5
0x739a25ec
0x739a25f2
0x00000000
0x739a25f9
0x00000000
0x00000000
0x739a2601
0x739a2605
0x739a2608
0x739a260c
0x739a2613
0x739a2617
0x739a261d
0x739a261f
0x739a2621
0x739a2621
0x739a2628
0x00000000
0x00000000
0x739a2631
0x00000000
0x00000000
0x739a2638
0x739a263e
0x739a2648
0x739a264e
0x739a2653
0x00000000
0x00000000
0x739a2674
0x00000000
0x00000000
0x739a265a
0x739a2660
0x739a2661
0x739a2663
0x00000000
0x00000000
0x739a267c
0x739a267e
0x739a2684
0x739a268a
0x739a268a
0x00000000
0x00000000
0x739a25f2
0x739a268d
0x739a268d
0x739a2692
0x739a26a3
0x739a26a3
0x739a26a9
0x739a26ae
0x739a26b3
0x739a26bf
0x739a26c4
0x00000000
0x739a26c9
0x739a26b5
0x739a26b6
0x739a26ca
0x739a26ca
0x739a26b3
0x739a26cb
0x739a26cc
0x739a26cf
0x739a26e3

APIs

Part of subcall function 739A121B: GlobalAlloc.KERNELBASE(00000040,?,739A123B,?,739A12DF,00000019,739A11BE,-000000A0), ref: 739A1225

GlobalFree.KERNEL32 ref: 739A26A3
GlobalFree.KERNEL32 ref: 739A26D8

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: b053773161a6673b078427900aef75aa951668c64a0322ddded1e40efc34efff
Instruction ID: a28182e9669cb910232326271da0c714b6150d2501241e4d69671d0c555314d9
Opcode Fuzzy Hash: b053773161a6673b078427900aef75aa951668c64a0322ddded1e40efc34efff
Instruction Fuzzy Hash: 1031E832609115EFD716AF69CD84FAA77BAFF85304325433AF585AB250C7319804EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402947(int __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x38)) = 0xfffffd66;
				_t50 = E00402D3E(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405D5D(_t50) == 0) {
					E00402D3E(0xffffffed);
				}
				E00405EE2(_t50);
				_t26 = E00405F07(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x434f18;
					 *(_t56 - 0x44) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040347D(_t45);
						E00403467(_t49,  *(_t56 - 0x44));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x28));
						 *(_t56 - 0x10) = _t54;
						if(_t54 != _t45) {
							E0040324C( *((intOrPtr*)(_t56 - 0x2c)), _t45, _t54,  *(_t56 - 0x28));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x3c) =  *_t54;
								E00405EC2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x3c);
							}
							GlobalFree( *(_t56 - 0x10));
						}
						E00405FB9( *(_t56 + 8), _t49,  *(_t56 - 0x44));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x38)) = E0040324C(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x38)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402947
0x00402949
0x00402955
0x00402958
0x00402962
0x00402966
0x00402966
0x0040296c
0x00402979
0x00402981
0x00402984
0x0040298a
0x00402998
0x0040299d
0x004029a1
0x004029a4
0x004029ad
0x004029b9
0x004029bd
0x004029c0
0x004029ca
0x004029e9
0x004029d1
0x004029d6
0x004029de
0x004029e1
0x004029e6
0x004029e6
0x004029f0
0x004029f0
0x004029fd
0x00402a03
0x00402a15
0x00402a15
0x00402a1b
0x00402a1b
0x00402a26
0x00402a27
0x00402a2b
0x00402a2f
0x00402a35
0x00402a35
0x00402a3c
0x004022e9
0x00402bc5
0x00402bd1

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32 ref: 004029F0
GlobalFree.KERNEL32 ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction ID: 6d3b5365c2144e4253305efdfeae8c7c86b7c4bf3cccdf3f9a106f7510f1e1f6
Opcode Fuzzy Hash: a5ba4848feea4339aca0bd9ed9ef3b7077546e738993ad0ee054be50b6b812c9
Instruction Fuzzy Hash: 6121BD71800124BBCF216FA9DE49D9F7E79EF05364F10023AF560762E1CB784D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 739A18D9 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E739A18D9(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				signed int _t76;
				void* _t80;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x739a506c = _a8;
				_t76 = 0;
				 *0x739a5070 = _a16;
				_v12 = 0;
				_v8 = E739A1243();
				_t89 = E739A1311(_t42);
				_t86 = _t84;
				_t80 = E739A1243();
				_a8 = _t80;
				_t45 =  *_t80;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E739A1243();
					_t76 = E739A1311(_t73);
					_v12 = _t84;
					GlobalFree(_a16);
					_t80 = _a8;
				}
				_t46 =  *_t80 & 0x0000ffff;
				_t100 = _t46 - 0x2f;
				if(_t100 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t80 + 2)) - 0x3c;
						if( *((short*)(_t80 + 2)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t89 = _t48;
								_t86 = _t84;
								L59:
								E739A1470(_t84, _t89, _t86,  &_v76);
								E739A1272( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t89 - _t76;
							if(_t89 < _t76) {
								goto L49;
							}
							goto L56;
						}
						_t84 = _t86;
						_t48 = E739A2FB0(_t89, _t76, _t84);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t89 - _t76;
						if(_t89 != _t76) {
							goto L56;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t80 + 2)) - 0x3e;
						if( *((short*)(_t80 + 2)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t89 - _t76;
							if(_t89 <= _t76) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t80 + 4)) - 0x3e;
						_t84 = _t86;
						_t48 = _t89;
						_t82 = _t76;
						if( *((short*)(_t80 + 4)) != 0x3e) {
							_t48 = E739A2FD0(_t48, _t82, _t84);
						} else {
							L739A3000();
						}
						goto L58;
					}
					_t59 = _t58 - 0x20;
					__eflags = _t59;
					if(_t59 == 0) {
						_t89 = _t89 ^ _t76;
						_t86 = _t86 ^ _v12;
						goto L59;
					}
					_t60 = _t59 - 0x1e;
					__eflags = _t60;
					if(_t60 == 0) {
						__eflags =  *((short*)(_t80 + 2)) - 0x7c;
						if( *((short*)(_t80 + 2)) != 0x7c) {
							_t89 = _t89 | _t76;
							_t86 = _t86 | _v12;
							goto L59;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L49;
						}
						__eflags = _t76 | _v12;
						if((_t76 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t60 == 0;
					if(_t60 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L59;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t76 | _v12;
					if((_t76 | _v12) != 0) {
						_v24 = E739A2E40(_t89, _t86, _t76, _v12);
						_v20 = _t84;
						_t48 = E739A2EF0(_t89, _t86, _t76, _v12);
						_t80 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t89;
						_t84 = _t86;
					}
					__eflags =  *_t80 - 0x2f;
					if( *_t80 != 0x2f) {
						goto L58;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L59;
					}
				}
				_t66 = _t46 - 0x21;
				if(_t66 == 0) {
					_t48 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t67 = _t66 - 4;
				if(_t67 == 0) {
					goto L21;
				}
				_t68 = _t67 - 1;
				if(_t68 == 0) {
					__eflags =  *((short*)(_t80 + 2)) - 0x26;
					if( *((short*)(_t80 + 2)) != 0x26) {
						_t89 = _t89 & _t76;
						_t86 = _t86 & _v12;
						goto L59;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L56;
					}
					__eflags = _t76 | _v12;
					if((_t76 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t69 = _t68 - 4;
				if(_t69 == 0) {
					_t48 = E739A2E00(_t89, _t86, _t76, _v12);
					goto L58;
				} else {
					_t70 = _t69 - 1;
					if(_t70 == 0) {
						_t89 = _t89 + _t76;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t70 == 0) {
							_t89 = _t89 - _t76;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x739a18d9
0x739a18e3
0x739a18ec
0x739a18ef
0x739a18f4
0x739a18fd
0x739a1906
0x739a1908
0x739a190f
0x739a1911
0x739a1914
0x739a191b
0x739a1929
0x739a1932
0x739a1937
0x739a193a
0x739a1940
0x739a1940
0x739a1943
0x739a1946
0x739a1949
0x739a1a11
0x739a1a11
0x739a1a14
0x739a1a94
0x739a1a99
0x739a1aa8
0x739a1aab
0x739a1ab3
0x739a1ab3
0x739a1ab3
0x739a1ab5
0x739a1ab5
0x739a1ab6
0x739a1ab6
0x739a1ab8
0x739a1aba
0x739a1ac0
0x739a1ac9
0x739a1ada
0x739a1ae5
0x739a1ae5
0x739a1aad
0x739a1a8f
0x739a1a8f
0x739a1a91
0x739a1a91
0x00000000
0x739a1a91
0x739a1aaf
0x739a1ab1
0x00000000
0x00000000
0x00000000
0x739a1ab1
0x739a1a9d
0x739a1aa1
0x00000000
0x739a1aa1
0x739a1a16
0x739a1a16
0x739a1a17
0x739a1a86
0x739a1a88
0x00000000
0x00000000
0x739a1a8a
0x739a1a8d
0x00000000
0x00000000
0x00000000
0x739a1a8d
0x739a1a19
0x739a1a19
0x739a1a1a
0x739a1a57
0x739a1a5c
0x739a1a79
0x739a1a7c
0x00000000
0x00000000
0x739a1a7e
0x00000000
0x00000000
0x739a1a80
0x739a1a82
0x00000000
0x00000000
0x00000000
0x739a1a84
0x739a1a5e
0x739a1a63
0x739a1a65
0x739a1a67
0x739a1a69
0x739a1a72
0x739a1a6b
0x739a1a6b
0x739a1a6b
0x00000000
0x739a1a69
0x739a1a1c
0x739a1a1c
0x739a1a1f
0x739a1a50
0x739a1a52
0x00000000
0x739a1a52
0x739a1a21
0x739a1a21
0x739a1a24
0x739a1a37
0x739a1a3c
0x739a1a49
0x739a1a4b
0x00000000
0x739a1a4b
0x739a1a3e
0x739a1a40
0x00000000
0x00000000
0x739a1a42
0x739a1a45
0x00000000
0x00000000
0x00000000
0x739a1a47
0x739a1a27
0x739a1a28
0x739a1a2e
0x739a1a30
0x739a1a30
0x00000000
0x739a1a28
0x739a194f
0x739a19c8
0x739a19ca
0x739a19cd
0x739a19eb
0x739a19ee
0x739a19f4
0x739a19f9
0x739a19cf
0x739a19cf
0x739a19d3
0x739a19d7
0x739a19d9
0x739a19d9
0x739a19fc
0x739a1a00
0x00000000
0x739a1a06
0x739a1a06
0x739a1a09
0x00000000
0x739a1a09
0x739a1a00
0x739a1951
0x739a1954
0x739a19b9
0x739a19bb
0x739a19bd
0x00000000
0x00000000
0x00000000
0x739a19c3
0x739a1956
0x739a1959
0x00000000
0x00000000
0x739a195b
0x739a195c
0x739a1992
0x739a1997
0x739a19af
0x739a19b1
0x00000000
0x739a19b1
0x739a1999
0x739a199b
0x00000000
0x00000000
0x739a19a1
0x739a19a4
0x00000000
0x00000000
0x00000000
0x739a19aa
0x739a195e
0x739a1961
0x739a1988
0x00000000
0x739a1963
0x739a1963
0x739a1964
0x739a1978
0x739a197a
0x739a1966
0x739a1968
0x739a196e
0x739a1970
0x739a1970
0x739a1968
0x00000000
0x739a1964

APIs

GlobalFree.KERNEL32 ref: 739A193A
GlobalFree.KERNEL32 ref: 739A1ADA
GlobalFree.KERNEL32 ref: 739A1ADF

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 427145d592ff68a9865eeae6d3623514a7a6c842638b31997f6e5b0afa3d5369
Instruction ID: 6c2999fbd12ce762c73841dea7d175aa34079aab2cb8a4630aeea24a6001611a
Opcode Fuzzy Hash: 427145d592ff68a9865eeae6d3623514a7a6c842638b31997f6e5b0afa3d5369
Instruction Fuzzy Hash: 8851F732D08159DBEB029FAC85447ADBABEEF84394F18435AD406A7284D6709EC1C797

Uniqueness

Uniqueness Score: -1.00%

Function 739A23E0 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E739A23E0(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E739A12BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E739A1243();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M739A2558))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E739A1311(__ebp);
									goto L21;
								case 2:
									 *__edi = E739A1311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x739a506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x739a506c, __eax,  *0x739a506c, 0, 0);
									goto L27;
								case 4:
									__eax = E739A122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E739A1311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x739a506c =  *0x739a5074 + ( *(__esi + 0x18) - 1) *  *0x739a506c * 2 + 0x18;
									 *__ebx =  *0x739a5074 + ( *(__esi + 0x18) - 1) *  *0x739a506c * 2 + 0x18;
									asm("cdq");
									__eax = E739A1470(__edx,  *0x739a5074 + ( *(__esi + 0x18) - 1) *  *0x739a506c * 2 + 0x18, __edx,  *0x739a5074 + ( *(__esi + 0x18) - 1) *  *0x739a506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E739A122C(0x739a5044);
					goto L10;
				}
			}

0x739a23f4
0x739a23f8
0x739a2403
0x739a2403
0x739a240a
0x739a240f
0x00000000
0x00000000
0x739a2413
0x739a2416
0x00000000
0x00000000
0x739a241b
0x739a2426
0x739a2436
0x00000000
0x739a242d
0x739a242f
0x739a2445
0x00000000
0x739a2445
0x739a241d
0x739a241d
0x739a2446
0x739a2446
0x739a2448
0x739a244c
0x739a244c
0x739a244f
0x739a244f
0x739a2457
0x739a245f
0x739a2462
0x739a2521
0x739a2522
0x739a252d
0x739a2557
0x739a2557
0x739a253d
0x739a2549
0x739a253f
0x739a253f
0x739a253f
0x00000000
0x739a2468
0x739a2468
0x00000000
0x739a246f
0x00000000
0x00000000
0x739a2477
0x00000000
0x00000000
0x739a2485
0x739a2487
0x00000000
0x00000000
0x739a24a8
0x739a24ae
0x739a24b1
0x739a24b3
0x739a24c3
0x00000000
0x00000000
0x739a2490
0x739a2495
0x739a2498
0x739a2499
0x00000000
0x00000000
0x739a24cf
0x739a24d5
0x739a24d6
0x739a24d9
0x739a24da
0x739a24dc
0x00000000
0x00000000
0x739a24e8
0x739a24eb
0x739a24f7
0x739a24f9
0x00000000
0x00000000
0x739a2505
0x739a2511
0x739a2514
0x739a2516
0x739a2519
0x00000000
0x00000000
0x739a2468
0x739a2462
0x739a243b
0x739a2440
0x00000000
0x739a2440

APIs

GlobalFree.KERNEL32 ref: 739A2522

Part of subcall function 739A122C: lstrcpynW.KERNEL32(00000000,?,739A12DF,00000019,739A11BE,-000000A0), ref: 739A123C

GlobalAlloc.KERNEL32(00000040), ref: 739A24A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 739A24C3

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: cd4e339473f336237fe034e9f7f2dc4a7fa17ec76a54b5bf7045793f34da51b8
Instruction ID: 1bd4a90a9c5ce8606d23ad7e3c7ecd5920910cb0a301800fb444b0cffa886d8b
Opcode Fuzzy Hash: cd4e339473f336237fe034e9f7f2dc4a7fa17ec76a54b5bf7045793f34da51b8
Instruction Fuzzy Hash: 9141CEB1508319EFD715AF698840BA677F9FB48310B108B2DE98A9A181DB70A544CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D1C(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402D3E(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction ID: ee10c8015a3e92cf614b22ba24180aec604fe5fe026a1179c0e7be4a3fdf0cdb
Opcode Fuzzy Hash: 5af5b17495f11576261f65d9e5f109aee1feef29f3286c425d9ce226ac00a781
Instruction Fuzzy Hash: E621F672900119AFCB05DFA4DE45AEEBBB5EF08314F14003AFA45F62A0C7789D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 739A161D Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E739A161D(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x739a1637
0x739a1643
0x739a1650
0x739a1657
0x739a1660
0x739a166c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,739A2238,?,00000808), ref: 739A1635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,739A2238,?,00000808), ref: 739A163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,739A2238,?,00000808), ref: 739A1650
GetProcAddress.KERNEL32(739A2238,00000000), ref: 739A1657
GlobalFree.KERNEL32 ref: 739A1660

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 6a2e7735788a4673f5dbf73ad670e445e6a7772cf901aa20bf4071a8942d28f4
Instruction ID: e7bd5ef1463cbbfa31fca24c07d3381ba5af5c316936a5b0f2ae86f4957fd956
Opcode Fuzzy Hash: 6a2e7735788a4673f5dbf73ad670e445e6a7772cf901aa20bf4071a8942d28f4
Instruction Fuzzy Hash: 89F0A27310A1387BD62126AB8C4CD9BBE9CDF8B2F5B210325F71C9529085615D01E7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D1C(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D1C(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402D3E(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402D3E(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402D3E();
					_t32 = E00402D3E();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D1C();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D1C(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406358();
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction ID: 0f37489a7ff55aa34ce709233052591c61f0789b3923deb1f93634f017c8c928
Opcode Fuzzy Hash: fbb483b0c38b2c52992a6a5b7edafa52747ff059505c006a33bc3772956b04e9
Instruction Fuzzy Hash: E821AD7195420AAEEF05AFB4D94AAEE7BB0EF44304F10453EF601B61D1D7B84941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404C14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404C14(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040644E(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040644E(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040644E(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}

0x00404c1d
0x00404c22
0x00404c2a
0x00404c2b
0x00404c38
0x00404c40
0x00404c41
0x00404c43
0x00404c45
0x00404c47
0x00404c4a
0x00404c4a
0x00404c51
0x00404c57
0x00404c57
0x00404c5e
0x00404c65
0x00404c68
0x00404c6b
0x00404c6b
0x00404c6f
0x00404c7f
0x00404c81
0x00404c84
0x00404c2d
0x00404c2d
0x00404c34
0x00404c34
0x00404c8c
0x00404c97
0x00404cad
0x00404cbe
0x00404cda

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CB5
wsprintfW.USER32 ref: 00404CBE
SetDlgItemTextW.USER32 ref: 00404CD1

Strings

%u.%u%s%s, xrefs: 00404C9F

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 0de71dd1f65287a19c767322f40b6e95ae33ee85482e893f5b2d92d4d5838e0a
Instruction ID: 33068f1a2098bbc59acf923d0b26dc9f7285eb9428391dcb76f0b5068863668e
Opcode Fuzzy Hash: 0de71dd1f65287a19c767322f40b6e95ae33ee85482e893f5b2d92d4d5838e0a
Instruction Fuzzy Hash: 6A11EB73A041283BEB00656D9D46E9E329C9B85334F264237FA25F31D1E978C82182EC

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405CE6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405ce7
0x00405cf4
0x00405cf5
0x00405d00
0x00405d08
0x00405d08
0x00405d10

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CEC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040370F,?,00000007,00000009,0000000B), ref: 00405CF6
lstrcatW.KERNEL32(?,0040A014), ref: 00405D08

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE6

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: e2e9208f063340fd7176cb3713d1db1a131c248cac7d4947b15e4777b480a213
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 4FD0A771101A306AC1117B84AC05DDF669CAE85300381403BF201B30A4C77C1D5187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402636 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00402636(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402D3E(0x11)) + _t16;
					} else {
						E00402D3E(0x21);
						E00406433("C:\Users\jones\AppData\Local\Temp\nso5721.tmp", "C:\Users\jones\AppData\Local\Temp\nso5721.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\jones\AppData\Local\Temp\nso5721.tmp\System.dll");
					}
				} else {
					E00402D1C(1);
					 *0x40adf0 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406371(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00405FE8(_t31, _t31) >= 0) {
						_t14 = E00405FB9(_t31, "C:\Users\jones\AppData\Local\Temp\nso5721.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x434fa8 =  *0x434fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00402636
0x00402636
0x00402636
0x0040263b
0x0040263e
0x00402641
0x00402646
0x00402648
0x00402668
0x004026a2
0x0040266a
0x0040266c
0x00402680
0x0040268d
0x0040268d
0x0040264a
0x0040264c
0x00402651
0x0040265f
0x00402662
0x004026a7
0x004026aa
0x00402925
0x00402925
0x004026b0
0x004026b9
0x004026bb
0x004026da
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026bb
0x00402bc5
0x00402bd1

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll), ref: 0040268D

Strings

C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll, xrefs: 00402651, 00402676, 00402688, 004026D4
C:\Users\user\AppData\Local\Temp\nso5721.tmp, xrefs: 0040267B

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nso5721.tmp$C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll
API String ID: 1659193697-720185546
Opcode ID: 9f91aca178a37e6ed0b54cb78eabbee860e101ef043324f56c33086d30ece071
Instruction ID: 2f8f56cab2ec293de193d712fca88bf9bcdcc229c68306483e13e7e6ef2e3e02
Opcode Fuzzy Hash: 9f91aca178a37e6ed0b54cb78eabbee860e101ef043324f56c33086d30ece071
Instruction Fuzzy Hash: AD11E772A00205ABCB10AFB18F4AAAF77719F44748F25043FE402B71C1EAFD8891565E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FB1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x42aa20 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x434f10) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F2B, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406842(0);
					}
				} else {
					_t6 =  *0x42aa20;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}

0x00402fb8
0x00402fd8
0x00402fe2
0x00402fee
0x00402fff
0x00403008
0x00000000
0x0040300d
0x00403014
0x00402fda
0x00402fe1
0x00402fe1
0x00402fba
0x00402fba
0x00402fc1
0x00402fc4
0x00402fc4
0x00402fca
0x00402fd1
0x00402fd1

APIs

DestroyWindow.USER32(?,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32 ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction ID: d33bc14a5fcc1787285ca97da28f022d839d2e13e88132ee71d9f244d0d7cdfd
Opcode Fuzzy Hash: e942aba91c3d4d0b77748caef32317d1a3e8dc78421a0242562119172c6ce506
Instruction Fuzzy Hash: 4AF05E3160AA21ABC6216F10FF0DA8B7B64BB48B41741487AF842B15E9DB740CA1DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405DEE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406411(0x42fa70, _a4);
				_t21 = E00405D91(0x42fa70);
				if(_t21 != 0) {
					E004066C0(_t21);
					if(( *0x434f1c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040676F();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405D32(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405CE6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405dfa
0x00405e05
0x00405e09
0x00405e10
0x00405e1c
0x00405e2c
0x00405e2e
0x00405e46
0x00405e47
0x00405e4e
0x00405e4f
0x00000000
0x00000000
0x00405e32
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e39
0x00405e51
0x00000000
0x00405e65
0x00405e1e
0x00405e24
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e24
0x00405e0b
0x00000000

APIs

Part of subcall function 00406411: lstrcpynW.KERNEL32(?,?,00000400,00403596,00433F00,NSIS Error,?,00000007,00000009,0000000B), ref: 0040641E

Part of subcall function 00405D91: CharNextW.USER32(?,?,0042FA70,?,00405E05,0042FA70,0042FA70,7476FAA0,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D9F
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DA4
Part of subcall function 00405D91: CharNextW.USER32(00000000), ref: 00405DBC

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,7476FAA0,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E47
GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,7476FAA0,?,C:\Users\user\AppData\Local\Temp\,00405B43,?,7476FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405E57

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DEE

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction ID: 87735b5e832f2f8e04389b482ed260ad6458a913df04a2d72dce2697f876d431
Opcode Fuzzy Hash: d647ba489e44e4c384e8f234fc99267bc74e37b9af3ba258ec0477dc6db0c33a
Instruction Fuzzy Hash: A5F0F435104D2216C63233369D09AAF1548CE82364759453BF8D1B22D1DB3C8B838CED

Uniqueness

Uniqueness Score: -1.00%

Function 00403A4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A4B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403A30(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}

0x00403a4c
0x00403a54
0x00403a5b
0x00403a5e
0x00403a5e
0x00403a60
0x00403a65
0x00403a6c
0x00403a72
0x00403a76
0x00403a77
0x00403a7f

APIs

FreeLibrary.KERNEL32(?,7476FAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403A23,00403839,00000007,?,00000007,00000009,0000000B), ref: 00403A65
GlobalFree.KERNEL32 ref: 00403A6C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A4B

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction ID: 631b6d606f958dd3b9f901d17eba749f6bbdc97bd5f3e27fdad90cb16f3fbd8e
Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
Instruction Fuzzy Hash: 1CE0EC3261212097C7219F55BE08B6E7768AF48B22F06146AE9C5BB2608B745D424FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D32 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405D32(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405d33
0x00405d3d
0x00405d40
0x00405d46
0x00405d47
0x00405d48
0x00405d50
0x00000000
0x00000000
0x00000000
0x00405d50
0x00405d52
0x00405d5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D38
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,C:\Users\user\Desktop\CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D48

Strings

C:\Users\user\Desktop, xrefs: 00405D32

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: cdcea1fdb6b733c318131938d2018cbcd3f5257763d90021158e822df2c29c6c
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: FCD05EB24009209AC3126704DC0999F67A8FF5130078A842BF541AA1A4D7785C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 739A10E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E739A10E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x739a506c = _a8;
				 *0x739a5070 = _a16;
				 *0x739a5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x739a5048, E739A15B1, _t51, _t56);
				_t41 =  *0x739a506c +  *0x739a506c * 4 << 3;
				_t17 = E739A1243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E739A1272(E739A12BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E739A12E1(( *_t54 & 0x0000ffff) - 0x30, E739A1243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x739a5040;
								 *0x739a5040 = _t30;
								E739A1563(_t30 + 4,  *0x739a5074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x739a5040;
							if( *0x739a5040 != 0) {
								E739A1563( *0x739a5074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x739a5040;
								GlobalFree(_t36);
								 *0x739a5040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x739a10e6
0x739a10f0
0x739a10ff
0x739a110e
0x739a1119
0x739a111c
0x739a112b
0x739a112f
0x739a1131
0x739a11d8
0x739a11de
0x739a1137
0x739a1138
0x739a1138
0x739a113d
0x739a113e
0x739a1140
0x739a1143
0x739a120d
0x739a1210
0x739a11b0
0x739a11b6
0x739a11bf
0x739a11c4
0x739a11c7
0x00000000
0x739a11c7
0x739a1212
0x739a1214
0x739a1196
0x739a119d
0x739a11a5
0x00000000
0x739a11a5
0x739a1161
0x739a1162
0x739a116a
0x739a1177
0x739a117f
0x739a1188
0x739a118d
0x739a118d
0x00000000
0x739a1162
0x739a1149
0x739a11df
0x739a11df
0x739a11e6
0x739a11f3
0x739a11f8
0x739a11fb
0x739a1203
0x739a1205
0x739a1205
0x00000000
0x739a11e6
0x739a114f
0x739a1152
0x00000000
0x00000000
0x739a1158
0x739a115b
0x739a11ac
0x00000000
0x739a11ac
0x739a115d
0x739a115f
0x739a1192
0x00000000
0x739a1192
0x00000000
0x739a11c9
0x739a11c9
0x739a11d3
0x00000000
0x739a11d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 739A116A
GlobalFree.KERNEL32 ref: 739A11C7
GlobalFree.KERNEL32 ref: 739A11D9
GlobalFree.KERNEL32 ref: 739A1203

Memory Dump Source

Source File: 00000000.00000002.835830546.00000000739A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 739A0000, based on PE: true

Associated: 00000000.00000002.835810972.00000000739A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835840431.00000000739A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.835888037.00000000739A6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_739a0000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: f8808ec01c8e686d4c3b1e2826e4c411eb448cc036b09fc7d9257c9fcb422287
Instruction ID: 2c251e892aa361756720a97b75f7c8945b5af9689b8caaef9c3e20ed9b3de577
Opcode Fuzzy Hash: f8808ec01c8e686d4c3b1e2826e4c411eb448cc036b09fc7d9257c9fcb422287
Instruction Fuzzy Hash: 203184B2608221EFE7009F6DC945B3677FCEF452507144729E88ADB254E774D841DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405e7c
0x00405e7e
0x00405e81
0x00405ead
0x00405e86
0x00405e8f
0x00405e94
0x00405e9f
0x00405ea2
0x00405ebe
0x00405ea4
0x00405eab
0x00000000
0x00405eab
0x00405eb7
0x00405ebb
0x00405ebb
0x00405eb5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E94
CharNextA.USER32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EA5
lstrlenA.KERNEL32(00000000,?,00000000,00406151,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EAE

Memory Dump Source

Source File: 00000000.00000002.835235633.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.835227877.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835247650.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835255668.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835279889.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835287535.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835293393.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835311029.0000000000460000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835319576.000000000047B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.835326492.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 346f7042b660fb70b52ae74c1c6e121eab6bc84344666f805f11c7930e864ff2
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: A8F06231505418FFD7029BA5DE0099FBBA8EF56250B2540AAE880F7250D674EF019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nso5721.tmp\System.dll

C:\Users\user\AppData\Roaming\Shoved\Factorist\dialog-warning-symbolic.symbolic.png

C:\Users\user\AppData\Roaming\Shoved\skrupforelskede.bin

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exePID: 2800, Parent PID: 3528

Windows Analysis Report
CONTRACT_REVISED-SHIPMENT-DOCUMENTS_EXPORTS_REFERENCE-QT63637-02993900299348.exe

Function 004034C5 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 739A1B5F Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405B23 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 0040676F Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00404DD4 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490
windowmemoryCOMMON

Function 00403E8E Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403AE0 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181
memoryCOMMON

Function 0040644E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040324C Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405948 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406796 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405F36 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 739A1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00402482 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 004053ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Function 004062DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 004059FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 00402596 Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 0040242C Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Function 00406806 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405F07 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405EE2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 004059C5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 739A2AF8 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Function 004023AA Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Function 004062AC Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Function 00405F8A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405FB9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 739A29DF Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 004023EC Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 0040627E Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 0040347D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00405A3D Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 0040439C Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Function 739A121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Function 004055B8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON